From 544b9f0619b5ca547baac9356fb84688f8b317e6 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Mon, 4 Apr 2016 11:23:03 +0200 Subject: [PATCH 01/64] 1.1 Install updates --- bin/hardening/1.1_Install_Updates.sh | 21 +++++++++++++++-- lib/common.sh | 23 +++++++++++------- lib/main.sh | 6 ++++- lib/utils.sh | 35 ++++++++++++++++++++++++++++ 4 files changed, 74 insertions(+), 11 deletions(-) diff --git a/bin/hardening/1.1_Install_Updates.sh b/bin/hardening/1.1_Install_Updates.sh index 40d0d5a..70f720f 100755 --- a/bin/hardening/1.1_Install_Updates.sh +++ b/bin/hardening/1.1_Install_Updates.sh @@ -13,16 +13,32 @@ set -u # One variable unset, it's over # This function will be called if the script status is on enabled / audit mode audit () { - : + info "Checking if apt needs an update" + apt_update_if_needed + info "Fetching upgrades ..." + apt_check_updates "CIS_APT" + if [ $FNRET -gt 0 ]; then + warn "$RESULT" + FNRET=1 + else + ok "No upgrades available" + FNRET=0 + fi } # This function will be called if the script status is on enabled mode apply () { - : + if [ $FNRET -gt 0 ]; then + info "Applying Upgrades..." + DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' upgrade -y + else + ok "No Upgrades to apply" + fi } # This function will check config parameters required check_config() { + # No parameters for this function : } @@ -37,4 +53,5 @@ else fi fi +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) [ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/lib/common.sh b/lib/common.sh index 1a64f3d..cadf77e 100644 --- a/lib/common.sh +++ b/lib/common.sh @@ -9,14 +9,17 @@ case $LOGLEVEL in warning ) MACHINE_LOG_LEVEL=2 ;; - info ) + ok ) MACHINE_LOG_LEVEL=3 ;; - debug ) + info ) MACHINE_LOG_LEVEL=4 ;; + debug ) + MACHINE_LOG_LEVEL=5 + ;; *) - MACHINE_LOG_LEVEL=3 ## Default loglevel value to info + MACHINE_LOG_LEVEL=4 ## Default loglevel value to info esac _logger() { @@ -33,18 +36,22 @@ cecho () { echo -e "${COLOR}$*${NC}" } -info () { - [ $MACHINE_LOG_LEVEL -ge 3 ] && _logger $BWHITE "[INFO] $*" +crit () { + [ $MACHINE_LOG_LEVEL -ge 1 ] && _logger $BRED "[ KO ] $*" } warn () { [ $MACHINE_LOG_LEVEL -ge 2 ] && _logger $BYELLOW "[WARN] $*" } -crit () { - [ $MACHINE_LOG_LEVEL -ge 1 ] && _logger $BRED "[ KO ] $*" +ok () { + [ $MACHINE_LOG_LEVEL -ge 3 ] && _logger $BGREEN "[ OK ] $*" +} + +info () { + [ $MACHINE_LOG_LEVEL -ge 4 ] && _logger $BWHITE "[INFO] $*" } debug () { - [ $MACHINE_LOG_LEVEL -ge 4 ] && _logger $GRAY "[DBG ] $*" + [ $MACHINE_LOG_LEVEL -ge 5 ] && _logger $GRAY "[DBG ] $*" } diff --git a/lib/main.sh b/lib/main.sh index 69e554c..3cfcdc3 100644 --- a/lib/main.sh +++ b/lib/main.sh @@ -22,13 +22,17 @@ if [ -z $status ]; then fi case $status in - enabled | true ) + enabled | true ) + info "Checking Configuration" + check_config info "Performing audit" audit # Perform audit info "Applying Hardening" apply # Perform hardening ;; audit ) + info "Checking Configuration" + check_config info "Performing audit" audit # Perform audit ;; diff --git a/lib/utils.sh b/lib/utils.sh index de09676..ce93991 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -16,3 +16,38 @@ is_installed() } +# contains helper functions to work with apt + +apt_update_if_needed() +{ + if [ -e /var/cache/apt/pkgcache.bin ] + then + UPDATE_AGE=$(( $(date +%s) - $(stat -c '%Y' /var/cache/apt/pkgcache.bin) )) + + if [ $UPDATE_AGE -gt 21600 ] + then + # update too old, refresh database + apt-get update -y >/dev/null 2>/dev/null + fi + else + apt-get update -y >/dev/null 2>/dev/null + fi +} + +apt_check_updates() +{ + local NAME="$1" + local DETAILS="/dev/shm/${NAME}" + LANGUAGE=C apt-get upgrade -s 2>/dev/null | grep -E "^Inst" > $DETAILS || : + local COUNT=$(wc -l < "$DETAILS") + FNRET=128 # Unknown function return result + RESULT="" # Result output for upgrade + if [ $COUNT -gt 0 ]; then + RESULT="There is $COUNT updates available :\n$(cat $DETAILS)" + FNRET=1 + else + RESULT="OK, no updates available" + FNRET=0 + fi + rm $DETAILS +} From 01b03f7aeb62011d1333939a991d3719f8defc27 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Mon, 4 Apr 2016 13:32:58 +0200 Subject: [PATCH 02/64] 2.1 Tmp Partition --- bin/hardening/2.1_tmp_Partition.sh | 69 ++++++++++++++++++++++++++++++ etc/conf.d/2.1_tmp_Partition.cfg | 2 + lib/utils.sh | 19 ++++++++ 3 files changed, 90 insertions(+) create mode 100755 bin/hardening/2.1_tmp_Partition.sh create mode 100644 etc/conf.d/2.1_tmp_Partition.cfg diff --git a/bin/hardening/2.1_tmp_Partition.sh b/bin/hardening/2.1_tmp_Partition.sh new file mode 100755 index 0000000..f2b5469 --- /dev/null +++ b/bin/hardening/2.1_tmp_Partition.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.1 Create Separate Partition for /tmp (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/tmp" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + is_mounted "$PARTITION" + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted" + FNRET=1 + else + ok "$PARTITION is mounted" + fi + fi + + : +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + else + info "mounting $PARTITION" + mount $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No parameter for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/2.1_tmp_Partition.cfg b/etc/conf.d/2.1_tmp_Partition.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.1_tmp_Partition.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/lib/utils.sh b/lib/utils.sh index ce93991..414eaa4 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -15,6 +15,25 @@ is_installed() return 1 } +is_a_partition() { + + local PARTITION_NAME=$1 + FNRET=128 + if $(grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vqE "^#"); then + FNRET=0 + else + FNRET=1 + fi +} + +is_mounted() { + local PARTITION_NAME=$1 + if $(grep -q "[[:space:]]$1[[:space:]]" /proc/mounts); then + FNRET=0 + else + FNRET=1 + fi +} # contains helper functions to work with apt From 0bf935bb178347c0c6ec832aba8f5ce5363fd283 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Mon, 4 Apr 2016 15:05:10 +0200 Subject: [PATCH 03/64] 2.2_tmp_nodev.sh --- bin/hardening/2.2_tmp_nodev.sh | 80 +++++++++++++++++++++++++++++++ etc/conf.d/2.2_tmp_nodev.cfg | 2 + etc/hardening.cfg | 4 ++ lib/common.sh | 20 ++++++++ lib/constants.sh | 20 ++------ lib/utils.sh | 86 ++++++++++++++++++++++++++++------ tmp/backups/.gitignore | 2 + 7 files changed, 183 insertions(+), 31 deletions(-) create mode 100755 bin/hardening/2.2_tmp_nodev.sh create mode 100644 etc/conf.d/2.2_tmp_nodev.cfg create mode 100644 tmp/backups/.gitignore diff --git a/bin/hardening/2.2_tmp_nodev.sh b/bin/hardening/2.2_tmp_nodev.sh new file mode 100755 index 0000000..6b34d0f --- /dev/null +++ b/bin/hardening/2.2_tmp_nodev.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.2 Set nodev option for /tmp Partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/tmp" +OPTION="nodev" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + elif [ $FNRET = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/2.2_tmp_nodev.cfg b/etc/conf.d/2.2_tmp_nodev.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.2_tmp_nodev.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/hardening.cfg b/etc/hardening.cfg index 0d0c454..2668c89 100644 --- a/etc/hardening.cfg +++ b/etc/hardening.cfg @@ -3,3 +3,7 @@ # Valid values are debug info warning error LOGLEVEL=debug + +# Backup directory, every file touched by hardennign will be backuped here, with versionning +# Means that if a file is modified more than once during the process, you will have hardening step diffs in the folder +BACKUPDIR="$CIS_ROOT_DIR/tmp/backups" diff --git a/lib/common.sh b/lib/common.sh index cadf77e..573474c 100644 --- a/lib/common.sh +++ b/lib/common.sh @@ -1,6 +1,26 @@ # CIS Debian 7 Hardening common functions +# +# File Backup functions +# +backup_file() { + FILE=$1 + if [ ! -f $FILE ]; then + crit "Cannot backup $FILE, it's not a file" + FNRET=1 + else + TARGET=$(echo $FILE | sed -s 's/\//./g' | sed -s 's/^.//' | sed -s "s/$/.$(date +%F-%T)/" ) + TARGET="$BACKUPDIR/$TARGET" + debug "Backuping $FILE to $TARGET" + cp -a $FILE $TARGET + FNRET=0 + fi +} + + +# # Logging functions +# case $LOGLEVEL in error ) diff --git a/lib/constants.sh b/lib/constants.sh index 682a71d..dc98747 100644 --- a/lib/constants.sh +++ b/lib/constants.sh @@ -1,23 +1,9 @@ # Defines constants for CIS Debian 7 Hardening -# +# Script and shell commands homogeneity +export LANG=C - - - - - - - - - - - - - - - -#### Useful Colot constants settings for loglevels +#### Useful Color constants settings for loglevels # Reset Color (for syslog) NC='\033[0m' diff --git a/lib/utils.sh b/lib/utils.sh index 414eaa4..5a2e081 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -2,40 +2,85 @@ -# -# Return if a package is installed -# @param $1 package name -# -is_installed() -{ - PKG_NAME=$1 - if `dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install '` ; then - return 0 - fi - return 1 -} +# +# Mounting point manipulation +# + +# Verify $1 is a partition declared in fstab is_a_partition() { local PARTITION_NAME=$1 FNRET=128 if $(grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vqE "^#"); then + debug "$PARTITION found in fstab" FNRET=0 else + debug "Unable to find $PARTITION in fstab" FNRET=1 fi } +# Verify that $1 is mounted at runtime is_mounted() { local PARTITION_NAME=$1 if $(grep -q "[[:space:]]$1[[:space:]]" /proc/mounts); then + debug "$PARTITION found in /proc/mounts, it's mounted" FNRET=0 else + debug "Unable to find $PARTITION in /proc/mounts" FNRET=1 fi } -# contains helper functions to work with apt +# Verify $1 has the proper option $2 in fstab +has_mount_option() { + local PARTITION=$1 + local OPTION=$2 + if $(grep "[[:space:]]$1[[:space:]]" /etc/fstab | grep -vE "^#" | awk {'print $4'} | grep -q "$2"); then + debug "$OPTION has been detected in fstab for partition $PARTITION" + FNRET=0 + else + debug "Unable to find $OPTION in fstab for partition $PARTITION" + FNRET=1 + fi +} + +# Verify $1 has the proper option $2 at runtime +has_mounted_option() { + local PARTITION=$1 + local OPTION=$2 + if $(grep "[[:space:]]$1[[:space:]]" /proc/mounts | awk {'print $4'} | grep -q "$2"); then + debug "$OPTION has been detected in /proc/mounts for partition $PARTITION" + FNRET=0 + else + debug "Unable to find $OPTION in /proc/mounts for partition $PARTITION" + FNRET=1 + fi +} + +# Setup mount option in fstab +add_option_to_fstab() { + local PARTITION=$1 + local OPTION=$2 + debug "Setting $OPTION for $PARTITION in fstab" + backup_file "/etc/fstab" + # For example : + # /dev/sda9 /home ext4 auto,acl,errors=remount-ro 0 2 + # /dev/sda9 /home ext4 auto,acl,errors=remount-ro,nodev 0 2 + debug "Sed command : sed -ie \"s;\(.*\)\(\s*\)\s\($PARTITION\)\s\(\s*\)\(\w*\)\(\s*\)\(\w*\)*;\1\2 \3 \4\5\6\7,$OPTION;\" /etc/fstab" + sed -ie "s;\(.*\)\(\s*\)\s\($PARTITION\)\s\(\s*\)\(\w*\)\(\s*\)\(\w*\)*;\1\2 \3 \4\5\6\7,$OPTION;" /etc/fstab +} + +remount_partition() { + local PARTITION=$1 + debug "Remounting $PARTITION" + mount -o remount $PARTITION +} + +# +# Helper functions to work with apt +# apt_update_if_needed() { @@ -57,7 +102,7 @@ apt_check_updates() { local NAME="$1" local DETAILS="/dev/shm/${NAME}" - LANGUAGE=C apt-get upgrade -s 2>/dev/null | grep -E "^Inst" > $DETAILS || : + apt-get upgrade -s 2>/dev/null | grep -E "^Inst" > $DETAILS || : local COUNT=$(wc -l < "$DETAILS") FNRET=128 # Unknown function return result RESULT="" # Result output for upgrade @@ -70,3 +115,16 @@ apt_check_updates() fi rm $DETAILS } + +# +# Returns if a package is installed +# + +is_installed() +{ + PKG_NAME=$1 + if `dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install '` ; then + FNRET=0 + fi + FNRET=1 +} diff --git a/tmp/backups/.gitignore b/tmp/backups/.gitignore new file mode 100644 index 0000000..6b1ce3f --- /dev/null +++ b/tmp/backups/.gitignore @@ -0,0 +1,2 @@ +# Ignore everything, this is a place holder for the git +* From 361725076c285ef510d06cbfedf19e884ec7cfad Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Mon, 4 Apr 2016 16:28:40 +0200 Subject: [PATCH 04/64] 2.3_tmp_nosuid.sh --- bin/hardening/2.3_tmp_nosuid.sh | 80 +++++++++++++++++++++++++++++++++ etc/conf.d/2.3_tmp_nosuid.cfg | 2 + 2 files changed, 82 insertions(+) create mode 100755 bin/hardening/2.3_tmp_nosuid.sh create mode 100644 etc/conf.d/2.3_tmp_nosuid.cfg diff --git a/bin/hardening/2.3_tmp_nosuid.sh b/bin/hardening/2.3_tmp_nosuid.sh new file mode 100755 index 0000000..a361ca7 --- /dev/null +++ b/bin/hardening/2.3_tmp_nosuid.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.3 Set nosuid option for /tmp Partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/tmp" +OPTION="nosuid" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + elif [ $FNRET = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/2.3_tmp_nosuid.cfg b/etc/conf.d/2.3_tmp_nosuid.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.3_tmp_nosuid.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled From e73078834c6eaa91533fd094ddd20c8250a5037d Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Mon, 4 Apr 2016 16:48:21 +0200 Subject: [PATCH 05/64] 2.4_tmp_noexec.sh --- bin/hardening/2.4_tmp_noexec.sh | 80 +++++++++++++++++++++++++++++++++ etc/conf.d/2.4_tmp_noexec.cfg | 2 + 2 files changed, 82 insertions(+) create mode 100755 bin/hardening/2.4_tmp_noexec.sh create mode 100644 etc/conf.d/2.4_tmp_noexec.cfg diff --git a/bin/hardening/2.4_tmp_noexec.sh b/bin/hardening/2.4_tmp_noexec.sh new file mode 100755 index 0000000..9d61da1 --- /dev/null +++ b/bin/hardening/2.4_tmp_noexec.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.4 Set noexec option for /tmp Partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/tmp" +OPTION="noexec" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + elif [ $FNRET = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/2.4_tmp_noexec.cfg b/etc/conf.d/2.4_tmp_noexec.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.4_tmp_noexec.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled From 0a897c8bb79a118f7e0d88f34024f3d73c5b35d8 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Mon, 4 Apr 2016 16:50:57 +0200 Subject: [PATCH 06/64] 2.5_var_partition.sh + refacto --- ...tall_Updates.sh => 1.1_install_updates.sh} | 0 ..._tmp_Partition.sh => 2.1_tmp_partition.sh} | 0 bin/hardening/2.5_var_partition.sh | 69 +++++++++++++++++++ ...ll_Updates.cfg => 1.1_install_updates.cfg} | 0 ...mp_Partition.cfg => 2.1_tmp_partition.cfg} | 0 etc/conf.d/2.5_var_partition.cfg | 2 + 6 files changed, 71 insertions(+) rename bin/hardening/{1.1_Install_Updates.sh => 1.1_install_updates.sh} (100%) rename bin/hardening/{2.1_tmp_Partition.sh => 2.1_tmp_partition.sh} (100%) create mode 100755 bin/hardening/2.5_var_partition.sh rename etc/conf.d/{1.1_Install_Updates.cfg => 1.1_install_updates.cfg} (100%) rename etc/conf.d/{2.1_tmp_Partition.cfg => 2.1_tmp_partition.cfg} (100%) create mode 100644 etc/conf.d/2.5_var_partition.cfg diff --git a/bin/hardening/1.1_Install_Updates.sh b/bin/hardening/1.1_install_updates.sh similarity index 100% rename from bin/hardening/1.1_Install_Updates.sh rename to bin/hardening/1.1_install_updates.sh diff --git a/bin/hardening/2.1_tmp_Partition.sh b/bin/hardening/2.1_tmp_partition.sh similarity index 100% rename from bin/hardening/2.1_tmp_Partition.sh rename to bin/hardening/2.1_tmp_partition.sh diff --git a/bin/hardening/2.5_var_partition.sh b/bin/hardening/2.5_var_partition.sh new file mode 100755 index 0000000..3a0fed6 --- /dev/null +++ b/bin/hardening/2.5_var_partition.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.5 Create Separate Partition for /var (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/var" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + is_mounted "$PARTITION" + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted" + FNRET=1 + else + ok "$PARTITION is mounted" + fi + fi + + : +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + else + info "mounting $PARTITION" + mount $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No parameter for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/1.1_Install_Updates.cfg b/etc/conf.d/1.1_install_updates.cfg similarity index 100% rename from etc/conf.d/1.1_Install_Updates.cfg rename to etc/conf.d/1.1_install_updates.cfg diff --git a/etc/conf.d/2.1_tmp_Partition.cfg b/etc/conf.d/2.1_tmp_partition.cfg similarity index 100% rename from etc/conf.d/2.1_tmp_Partition.cfg rename to etc/conf.d/2.1_tmp_partition.cfg diff --git a/etc/conf.d/2.5_var_partition.cfg b/etc/conf.d/2.5_var_partition.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.5_var_partition.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled From 87a7f2e6dd67abe1c76e8daa60e077c7b853354b Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Tue, 5 Apr 2016 09:07:15 +0200 Subject: [PATCH 07/64] 2.6.1_var_tmp_partition.sh --- bin/hardening/2.6.1_var_tmp_partition.sh | 69 ++++++++++++++++++++++++ etc/conf.d/2.6.1_var_tmp_partition.cfg | 2 + 2 files changed, 71 insertions(+) create mode 100755 bin/hardening/2.6.1_var_tmp_partition.sh create mode 100644 etc/conf.d/2.6.1_var_tmp_partition.cfg diff --git a/bin/hardening/2.6.1_var_tmp_partition.sh b/bin/hardening/2.6.1_var_tmp_partition.sh new file mode 100755 index 0000000..cee9b19 --- /dev/null +++ b/bin/hardening/2.6.1_var_tmp_partition.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.1 Create Separate Partition for /tmp (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/var/tmp" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + is_mounted "$PARTITION" + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted" + FNRET=1 + else + ok "$PARTITION is mounted" + fi + fi + + : +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + else + info "mounting $PARTITION" + mount $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No parameter for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/2.6.1_var_tmp_partition.cfg b/etc/conf.d/2.6.1_var_tmp_partition.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.6.1_var_tmp_partition.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled From 2aaee475e0d6707c83970b8b52cd9190e10688ce Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Tue, 5 Apr 2016 09:11:51 +0200 Subject: [PATCH 08/64] 2.6.2_var_tmp_nodev.sh 2.6.3_var_tmp_nosuid.sh --- bin/hardening/2.6.2_var_tmp_nodev.sh | 80 +++++++++++++++++++++++++++ bin/hardening/2.6.3_var_tmp_nosuid.sh | 80 +++++++++++++++++++++++++++ etc/conf.d/2.6.2_var_tmp_nodev.cfg | 2 + etc/conf.d/2.6.3_var_tmp_nosuid.cfg | 2 + etc/hardening.cfg | 2 +- 5 files changed, 165 insertions(+), 1 deletion(-) create mode 100755 bin/hardening/2.6.2_var_tmp_nodev.sh create mode 100755 bin/hardening/2.6.3_var_tmp_nosuid.sh create mode 100644 etc/conf.d/2.6.2_var_tmp_nodev.cfg create mode 100644 etc/conf.d/2.6.3_var_tmp_nosuid.cfg diff --git a/bin/hardening/2.6.2_var_tmp_nodev.sh b/bin/hardening/2.6.2_var_tmp_nodev.sh new file mode 100755 index 0000000..adac6da --- /dev/null +++ b/bin/hardening/2.6.2_var_tmp_nodev.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.2 Set nodev option for /tmp Partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/var/tmp" +OPTION="nodev" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + elif [ $FNRET = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.6.3_var_tmp_nosuid.sh b/bin/hardening/2.6.3_var_tmp_nosuid.sh new file mode 100755 index 0000000..3ba5356 --- /dev/null +++ b/bin/hardening/2.6.3_var_tmp_nosuid.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.3 Set nosuid option for /tmp Partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/var/tmp" +OPTION="nosuid" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + elif [ $FNRET = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/2.6.2_var_tmp_nodev.cfg b/etc/conf.d/2.6.2_var_tmp_nodev.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/2.6.2_var_tmp_nodev.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/2.6.3_var_tmp_nosuid.cfg b/etc/conf.d/2.6.3_var_tmp_nosuid.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/2.6.3_var_tmp_nosuid.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/hardening.cfg b/etc/hardening.cfg index 2668c89..d7cbc71 100644 --- a/etc/hardening.cfg +++ b/etc/hardening.cfg @@ -1,7 +1,7 @@ # CIS Debian 7 Hardening # Main Configuration File, put here global variables -# Valid values are debug info warning error +# Valid values are debug info ok warning error LOGLEVEL=debug # Backup directory, every file touched by hardennign will be backuped here, with versionning From 36e652d227067368db27b93a267fae66a0df3cc3 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Tue, 5 Apr 2016 09:18:51 +0200 Subject: [PATCH 09/64] 2.6.4_var_tmp_noexec.sh 2.7_var_log_partition.sh --- bin/hardening/2.6.1_var_tmp_partition.sh | 2 +- bin/hardening/2.6.2_var_tmp_nodev.sh | 2 +- bin/hardening/2.6.3_var_tmp_nosuid.sh | 2 +- bin/hardening/2.6.4_var_tmp_noexec.sh | 80 ++++++++++++++++++++++++ bin/hardening/2.7_var_log_partition.sh | 69 ++++++++++++++++++++ etc/conf.d/2.6.2_var_tmp_nodev.cfg | 2 +- etc/conf.d/2.6.3_var_tmp_nosuid.cfg | 2 +- etc/conf.d/2.6.4_var_tmp_noexec.cfg | 2 + etc/conf.d/2.7_var_log_partition.cfg | 2 + 9 files changed, 158 insertions(+), 5 deletions(-) create mode 100755 bin/hardening/2.6.4_var_tmp_noexec.sh create mode 100755 bin/hardening/2.7_var_log_partition.sh create mode 100644 etc/conf.d/2.6.4_var_tmp_noexec.cfg create mode 100644 etc/conf.d/2.7_var_log_partition.cfg diff --git a/bin/hardening/2.6.1_var_tmp_partition.sh b/bin/hardening/2.6.1_var_tmp_partition.sh index cee9b19..1a1348b 100755 --- a/bin/hardening/2.6.1_var_tmp_partition.sh +++ b/bin/hardening/2.6.1_var_tmp_partition.sh @@ -5,7 +5,7 @@ # # -# 2.1 Create Separate Partition for /tmp (Scored) +# 2.6.1 Create Separate Partition for /var/tmp (Scored) # set -e # One error, it's over diff --git a/bin/hardening/2.6.2_var_tmp_nodev.sh b/bin/hardening/2.6.2_var_tmp_nodev.sh index adac6da..2be7322 100755 --- a/bin/hardening/2.6.2_var_tmp_nodev.sh +++ b/bin/hardening/2.6.2_var_tmp_nodev.sh @@ -5,7 +5,7 @@ # # -# 2.2 Set nodev option for /tmp Partition (Scored) +# 2.6.2 Set nodev option for /var/tmp Partition (Scored) # set -e # One error, it's over diff --git a/bin/hardening/2.6.3_var_tmp_nosuid.sh b/bin/hardening/2.6.3_var_tmp_nosuid.sh index 3ba5356..992d8e6 100755 --- a/bin/hardening/2.6.3_var_tmp_nosuid.sh +++ b/bin/hardening/2.6.3_var_tmp_nosuid.sh @@ -5,7 +5,7 @@ # # -# 2.3 Set nosuid option for /tmp Partition (Scored) +# 2.6.3 Set nosuid option for /var/tmp Partition (Scored) # set -e # One error, it's over diff --git a/bin/hardening/2.6.4_var_tmp_noexec.sh b/bin/hardening/2.6.4_var_tmp_noexec.sh new file mode 100755 index 0000000..223477f --- /dev/null +++ b/bin/hardening/2.6.4_var_tmp_noexec.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.6.4 Set noexec option for /var/tmp Partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/var/tmp" +OPTION="noexec" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + elif [ $FNRET = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.7_var_log_partition.sh b/bin/hardening/2.7_var_log_partition.sh new file mode 100755 index 0000000..32b2c74 --- /dev/null +++ b/bin/hardening/2.7_var_log_partition.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.7 Create Separate Partition for /var/log (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/var/log" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + is_mounted "$PARTITION" + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted" + FNRET=1 + else + ok "$PARTITION is mounted" + fi + fi + + : +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + else + info "mounting $PARTITION" + mount $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No parameter for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/2.6.2_var_tmp_nodev.cfg b/etc/conf.d/2.6.2_var_tmp_nodev.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/2.6.2_var_tmp_nodev.cfg +++ b/etc/conf.d/2.6.2_var_tmp_nodev.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/2.6.3_var_tmp_nosuid.cfg b/etc/conf.d/2.6.3_var_tmp_nosuid.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/2.6.3_var_tmp_nosuid.cfg +++ b/etc/conf.d/2.6.3_var_tmp_nosuid.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/2.6.4_var_tmp_noexec.cfg b/etc/conf.d/2.6.4_var_tmp_noexec.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.6.4_var_tmp_noexec.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.7_var_log_partition.cfg b/etc/conf.d/2.7_var_log_partition.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/2.7_var_log_partition.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From 362f23f35dbd96b860a1ecad10b8fa51139e95fd Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Tue, 5 Apr 2016 09:29:09 +0200 Subject: [PATCH 10/64] 2.8_var_log_audit_partition.sh 2.9_home_partition.sh --- bin/hardening/2.8_var_log_audit_partition.sh | 69 ++++++++++++++++++++ bin/hardening/2.9_home_partition.sh | 69 ++++++++++++++++++++ etc/conf.d/2.7_var_log_partition.cfg | 2 +- etc/conf.d/2.8_var_log_audit_partition.cfg | 2 + etc/conf.d/2.9_home_partition.cfg | 2 + 5 files changed, 143 insertions(+), 1 deletion(-) create mode 100755 bin/hardening/2.8_var_log_audit_partition.sh create mode 100755 bin/hardening/2.9_home_partition.sh create mode 100644 etc/conf.d/2.8_var_log_audit_partition.cfg create mode 100644 etc/conf.d/2.9_home_partition.cfg diff --git a/bin/hardening/2.8_var_log_audit_partition.sh b/bin/hardening/2.8_var_log_audit_partition.sh new file mode 100755 index 0000000..9c7bf92 --- /dev/null +++ b/bin/hardening/2.8_var_log_audit_partition.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.8 Create Separate Partition for /var/log/audit (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/var/log/audit" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + is_mounted "$PARTITION" + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted" + FNRET=1 + else + ok "$PARTITION is mounted" + fi + fi + + : +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + else + info "mounting $PARTITION" + mount $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No parameter for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.9_home_partition.sh b/bin/hardening/2.9_home_partition.sh new file mode 100755 index 0000000..2fe6fd1 --- /dev/null +++ b/bin/hardening/2.9_home_partition.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.8 Create Separate Partition for /var/log/audit (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/home" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + is_mounted "$PARTITION" + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted" + FNRET=1 + else + ok "$PARTITION is mounted" + fi + fi + + : +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + else + info "mounting $PARTITION" + mount $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No parameter for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/2.7_var_log_partition.cfg b/etc/conf.d/2.7_var_log_partition.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/2.7_var_log_partition.cfg +++ b/etc/conf.d/2.7_var_log_partition.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/2.8_var_log_audit_partition.cfg b/etc/conf.d/2.8_var_log_audit_partition.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.8_var_log_audit_partition.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.9_home_partition.cfg b/etc/conf.d/2.9_home_partition.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.9_home_partition.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled From b41c8d3aab0b4f2ca512b61c5c11fc9febf01b2b Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Tue, 5 Apr 2016 11:48:45 +0200 Subject: [PATCH 11/64] 2.10_home_nodev.sh 2.11_removable_device_nodev.sh 2.12_removable_device_noexec.sh --- bin/hardening/2.10_home_nodev.sh | 80 +++++++++++++++++++ bin/hardening/2.11_removable_device_nodev.sh | 68 ++++++++++++++++ bin/hardening/2.12_removable_device_noexec.sh | 68 ++++++++++++++++ bin/hardening/2.9_home_partition.sh | 2 +- etc/conf.d/2.10_home_nodev.cfg | 2 + etc/conf.d/2.11_removable_device_nodev.cfg | 2 + etc/conf.d/2.12_removable_device_noexec.cfg | 2 + 7 files changed, 223 insertions(+), 1 deletion(-) create mode 100755 bin/hardening/2.10_home_nodev.sh create mode 100755 bin/hardening/2.11_removable_device_nodev.sh create mode 100755 bin/hardening/2.12_removable_device_noexec.sh create mode 100644 etc/conf.d/2.10_home_nodev.cfg create mode 100644 etc/conf.d/2.11_removable_device_nodev.cfg create mode 100644 etc/conf.d/2.12_removable_device_noexec.cfg diff --git a/bin/hardening/2.10_home_nodev.sh b/bin/hardening/2.10_home_nodev.sh new file mode 100755 index 0000000..1c8a414 --- /dev/null +++ b/bin/hardening/2.10_home_nodev.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.10 Add nodev Option to /home (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/home" +OPTION="nodev" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + elif [ $FNRET = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.11_removable_device_nodev.sh b/bin/hardening/2.11_removable_device_nodev.sh new file mode 100755 index 0000000..010a432 --- /dev/null +++ b/bin/hardening/2.11_removable_device_nodev.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.11 Add nodev Option to Removable Media Partitions (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive + +# Quick factoring as many script use the same logic +PARTITION="/media\S*" +OPTION="nodev" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying if there is $PARTITION like partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + ok "There is no partition like $PARTITION" + FNRET=0 + else + info "detected $PARTITION like" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.12_removable_device_noexec.sh b/bin/hardening/2.12_removable_device_noexec.sh new file mode 100755 index 0000000..1258880 --- /dev/null +++ b/bin/hardening/2.12_removable_device_noexec.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.12 Add noexec Option to Removable Media Partitions (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive + +# Quick factoring as many script use the same logic +PARTITION="/media\S*" +OPTION="noexec" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying if there is $PARTITION like partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + ok "There is no partition like $PARTITION" + FNRET=0 + else + info "detected $PARTITION like" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.9_home_partition.sh b/bin/hardening/2.9_home_partition.sh index 2fe6fd1..04270db 100755 --- a/bin/hardening/2.9_home_partition.sh +++ b/bin/hardening/2.9_home_partition.sh @@ -5,7 +5,7 @@ # # -# 2.8 Create Separate Partition for /var/log/audit (Scored) +# 2.9 Create Separate Partition for /home (Scored) # set -e # One error, it's over diff --git a/etc/conf.d/2.10_home_nodev.cfg b/etc/conf.d/2.10_home_nodev.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.10_home_nodev.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.11_removable_device_nodev.cfg b/etc/conf.d/2.11_removable_device_nodev.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.11_removable_device_nodev.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.12_removable_device_noexec.cfg b/etc/conf.d/2.12_removable_device_noexec.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.12_removable_device_noexec.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled From 880499939bf436406a7522c3b1330e47e696005d Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Tue, 5 Apr 2016 13:16:00 +0200 Subject: [PATCH 12/64] 2.13_removable_device_nosuid.sh 2.14_run_shm_nodev.sh 2.15_run_shm_nosuid.sh 2.16_run_shm_noexec.sh --- bin/hardening/2.13_removable_device_nosuid.sh | 68 ++++++++++++++++ bin/hardening/2.14_run_shm_nodev.sh | 80 +++++++++++++++++++ bin/hardening/2.15_run_shm_nosuid.sh | 80 +++++++++++++++++++ bin/hardening/2.16_run_shm_noexec.sh | 80 +++++++++++++++++++ etc/conf.d/2.13_removable_device_nosuid.cfg | 2 + etc/conf.d/2.14_run_shm_nodev.cfg | 2 + etc/conf.d/2.15_run_shm_nosuid.cfg | 2 + etc/conf.d/2.16_run_shm_noexec.cfg | 2 + 8 files changed, 316 insertions(+) create mode 100755 bin/hardening/2.13_removable_device_nosuid.sh create mode 100755 bin/hardening/2.14_run_shm_nodev.sh create mode 100755 bin/hardening/2.15_run_shm_nosuid.sh create mode 100755 bin/hardening/2.16_run_shm_noexec.sh create mode 100644 etc/conf.d/2.13_removable_device_nosuid.cfg create mode 100644 etc/conf.d/2.14_run_shm_nodev.cfg create mode 100644 etc/conf.d/2.15_run_shm_nosuid.cfg create mode 100644 etc/conf.d/2.16_run_shm_noexec.cfg diff --git a/bin/hardening/2.13_removable_device_nosuid.sh b/bin/hardening/2.13_removable_device_nosuid.sh new file mode 100755 index 0000000..351d94b --- /dev/null +++ b/bin/hardening/2.13_removable_device_nosuid.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.13 Add nosuid Option to Removable Media Partitions (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Fair warning, it only checks /media.* like partition in fstab, it's not exhaustive + +# Quick factoring as many script use the same logic +PARTITION="/media\S*" +OPTION="nosuid" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying if there is $PARTITION like partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + ok "There is no partition like $PARTITION" + FNRET=0 + else + info "detected $PARTITION like" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.14_run_shm_nodev.sh b/bin/hardening/2.14_run_shm_nodev.sh new file mode 100755 index 0000000..d58d354 --- /dev/null +++ b/bin/hardening/2.14_run_shm_nodev.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.14 Add nodev Option to /run/shm Partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/run/shm" +OPTION="nodev" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + elif [ $FNRET = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.15_run_shm_nosuid.sh b/bin/hardening/2.15_run_shm_nosuid.sh new file mode 100755 index 0000000..451944a --- /dev/null +++ b/bin/hardening/2.15_run_shm_nosuid.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.15 Add nosuid Option to /run/shm Partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/run/shm" +OPTION="nosuid" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + elif [ $FNRET = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.16_run_shm_noexec.sh b/bin/hardening/2.16_run_shm_noexec.sh new file mode 100755 index 0000000..9f111b5 --- /dev/null +++ b/bin/hardening/2.16_run_shm_noexec.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.16 Add noexec Option to /run/shm Partition (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick factoring as many script use the same logic +PARTITION="/run/shm" +OPTION="noexec" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Verifying that $PARTITION is a partition" + FNRET=0 + is_a_partition "$PARTITION" + if [ $FNRET -gt 0 ]; then + crit "$PARTITION is not a partition" + FNRET=2 + else + ok "$PARTITION is a partition" + has_mount_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION have no option $OPTION in fstab !" + FNRET=1 + else + ok "$PARTITION have $OPTION in fstab" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=3 + else + ok "$PARTITION mounted with $OPTION" + fi + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $FNRET = 0 ]; then + ok "$PARTITION is correctly set" + elif [ $FNRET = 2 ]; then + crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + elif [ $FNRET = 1 ]; then + info "Adding $OPTION to fstab" + add_option_to_fstab $PARTITION $OPTION + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + elif [ $FNRET = 3 ]; then + info "Remounting $PARTITION from fstab" + remount_partition $PARTITION + fi +} + +# This function will check config parameters required +check_config() { + # No param for this script + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/2.13_removable_device_nosuid.cfg b/etc/conf.d/2.13_removable_device_nosuid.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.13_removable_device_nosuid.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.14_run_shm_nodev.cfg b/etc/conf.d/2.14_run_shm_nodev.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.14_run_shm_nodev.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.15_run_shm_nosuid.cfg b/etc/conf.d/2.15_run_shm_nosuid.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.15_run_shm_nosuid.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.16_run_shm_noexec.cfg b/etc/conf.d/2.16_run_shm_noexec.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/2.16_run_shm_noexec.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From d575ef89407e11535f530bbd6bea2ad416ae87c0 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Tue, 5 Apr 2016 13:42:05 +0200 Subject: [PATCH 13/64] 2.17_sticky_bit_world_writable_folder.sh --- .../2.17_sticky_bit_world_writable_folder.sh | 55 +++++++++++++++++++ etc/conf.d/2.16_run_shm_noexec.cfg | 2 +- .../2.17_sticky_bit_world_writable_folder.cfg | 2 + 3 files changed, 58 insertions(+), 1 deletion(-) create mode 100755 bin/hardening/2.17_sticky_bit_world_writable_folder.sh create mode 100644 etc/conf.d/2.17_sticky_bit_world_writable_folder.cfg diff --git a/bin/hardening/2.17_sticky_bit_world_writable_folder.sh b/bin/hardening/2.17_sticky_bit_world_writable_folder.sh new file mode 100755 index 0000000..99d8025 --- /dev/null +++ b/bin/hardening/2.17_sticky_bit_world_writable_folder.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# Hardening script skeleton replace this line with proper point treated +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if setuid is set on world writable Directories" + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) + if [ ! -z "$RESULT" ]; then + crit "Some world writable directories are not on sticky bit mode !" + FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') + crit "$FORMATTED_RESULT" + else + ok "All world writable directories have a sticky bit" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null) + if [ ! -z "$RESULT" ]; then + df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t + else + ok "All world writable directories have a sticky bit, nothing to apply" + fi +} + +# This function will check config parameters required +check_config() { + # No param for this function + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/2.16_run_shm_noexec.cfg b/etc/conf.d/2.16_run_shm_noexec.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/2.16_run_shm_noexec.cfg +++ b/etc/conf.d/2.16_run_shm_noexec.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/2.17_sticky_bit_world_writable_folder.cfg b/etc/conf.d/2.17_sticky_bit_world_writable_folder.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.17_sticky_bit_world_writable_folder.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled From 0861a1407d2412f94bbdc7d8849370dfae58dd42 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Thu, 7 Apr 2016 06:56:14 +0200 Subject: [PATCH 14/64] 2.18_disable_cramfs.sh --- bin/hardening/2.18_disable_cramfs.sh | 57 ++++++++++++++++++++++++++++ etc/conf.d/2.18_disable_cramfs.cfg | 2 + lib/utils.sh | 13 +++++++ 3 files changed, 72 insertions(+) create mode 100755 bin/hardening/2.18_disable_cramfs.sh create mode 100644 etc/conf.d/2.18_disable_cramfs.cfg diff --git a/bin/hardening/2.18_disable_cramfs.sh b/bin/hardening/2.18_disable_cramfs.sh new file mode 100755 index 0000000..e8ceba4 --- /dev/null +++ b/bin/hardening/2.18_disable_cramfs.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# Hardening script skeleton replace this line with proper point treated +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz +KERNEL_OPTION="cramfs" + + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + crit "$KERNEL_OPTION is enabled !" + else + ok "$KERNEL_OPTION is disabled" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" + else + ok "$KERNEL_OPTION is diabled, nothing to do" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/2.18_disable_cramfs.cfg b/etc/conf.d/2.18_disable_cramfs.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.18_disable_cramfs.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/lib/utils.sh b/lib/utils.sh index 5a2e081..36e8572 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -1,7 +1,20 @@ # CIS Debian 7 Hardening Utility functions +# +# Kernel Options checks +# +is_kernel_option_enabled() { + local KERNEL_OPTION=$1 + RESULT=$(zgrep -i $KERNEL_OPTION /proc/config.gz | grep -vE "^#") + ANSWER=$(cut -d = -f 2 <<< $RESULT) + if [ "x$ANSWER" = "xy" ]; then + FNRET=0 + else + FNRET=1 + fi +} # # Mounting point manipulation From 8269600088cab14dd2534b3c5eb0df22341be20c Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Thu, 7 Apr 2016 07:22:04 +0200 Subject: [PATCH 15/64] 2.19_disable_freevxfs.sh 2.20_disable_jffs2.sh 2.21_disable_hfs.sh 2.22_disable_hfsplus.sh 2.23_disable_squashfs.sh 2.24_disable_udf.sh --- bin/hardening/2.18_disable_cramfs.sh | 4 +- bin/hardening/2.19_disable_freevxfs.sh | 57 ++++++++++++++++++++++++++ bin/hardening/2.20_disable_jffs2.sh | 57 ++++++++++++++++++++++++++ bin/hardening/2.21_disable_hfs.sh | 57 ++++++++++++++++++++++++++ bin/hardening/2.22_disable_hfsplus.sh | 57 ++++++++++++++++++++++++++ bin/hardening/2.23_disable_squashfs.sh | 57 ++++++++++++++++++++++++++ bin/hardening/2.24_disable_udf.sh | 57 ++++++++++++++++++++++++++ etc/conf.d/2.19_disable_freevxfs.cfg | 2 + etc/conf.d/2.20_disable_jffs2.cfg | 2 + etc/conf.d/2.21_disable_hfs.cfg | 2 + etc/conf.d/2.22_disable_hfsplus.cfg | 2 + etc/conf.d/2.23_disable_squashfs.cfg | 2 + etc/conf.d/2.24_disable_udf.cfg | 2 + lib/utils.sh | 9 +++- 14 files changed, 363 insertions(+), 4 deletions(-) create mode 100755 bin/hardening/2.19_disable_freevxfs.sh create mode 100755 bin/hardening/2.20_disable_jffs2.sh create mode 100755 bin/hardening/2.21_disable_hfs.sh create mode 100755 bin/hardening/2.22_disable_hfsplus.sh create mode 100755 bin/hardening/2.23_disable_squashfs.sh create mode 100755 bin/hardening/2.24_disable_udf.sh create mode 100644 etc/conf.d/2.19_disable_freevxfs.cfg create mode 100644 etc/conf.d/2.20_disable_jffs2.cfg create mode 100644 etc/conf.d/2.21_disable_hfs.cfg create mode 100644 etc/conf.d/2.22_disable_hfsplus.cfg create mode 100644 etc/conf.d/2.23_disable_squashfs.cfg create mode 100644 etc/conf.d/2.24_disable_udf.cfg diff --git a/bin/hardening/2.18_disable_cramfs.sh b/bin/hardening/2.18_disable_cramfs.sh index e8ceba4..e9df2c1 100755 --- a/bin/hardening/2.18_disable_cramfs.sh +++ b/bin/hardening/2.18_disable_cramfs.sh @@ -5,7 +5,7 @@ # # -# Hardening script skeleton replace this line with proper point treated +# 2.18 Disable Mounting of cramfs Filesystems (Not Scored) # set -e # One error, it's over @@ -32,7 +32,7 @@ apply () { if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" else - ok "$KERNEL_OPTION is diabled, nothing to do" + ok "$KERNEL_OPTION is disabled, nothing to do" fi : } diff --git a/bin/hardening/2.19_disable_freevxfs.sh b/bin/hardening/2.19_disable_freevxfs.sh new file mode 100755 index 0000000..0d43421 --- /dev/null +++ b/bin/hardening/2.19_disable_freevxfs.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.19 Disable Mounting of freevxfs Filesystems (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz +KERNEL_OPTION="freevxfs" + + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + crit "$KERNEL_OPTION is enabled !" + else + ok "$KERNEL_OPTION is disabled" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" + else + ok "$KERNEL_OPTION is disabled, nothing to do" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.20_disable_jffs2.sh b/bin/hardening/2.20_disable_jffs2.sh new file mode 100755 index 0000000..c892e96 --- /dev/null +++ b/bin/hardening/2.20_disable_jffs2.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.20 Disable Mounting of jffs2 Filesystems (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz +KERNEL_OPTION="jffs2" + + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + crit "$KERNEL_OPTION is enabled !" + else + ok "$KERNEL_OPTION is disabled" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" + else + ok "$KERNEL_OPTION is disabled, nothing to do" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.21_disable_hfs.sh b/bin/hardening/2.21_disable_hfs.sh new file mode 100755 index 0000000..073e539 --- /dev/null +++ b/bin/hardening/2.21_disable_hfs.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.21 Disable Mounting of hfs Filesystems (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz +KERNEL_OPTION="hfs" + + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + crit "$KERNEL_OPTION is enabled !" + else + ok "$KERNEL_OPTION is disabled" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" + else + ok "$KERNEL_OPTION is disabled, nothing to do" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.22_disable_hfsplus.sh b/bin/hardening/2.22_disable_hfsplus.sh new file mode 100755 index 0000000..81d47bf --- /dev/null +++ b/bin/hardening/2.22_disable_hfsplus.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.22 Disable Mounting of hfsplus Filesystems (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz +KERNEL_OPTION="hfsplus" + + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + crit "$KERNEL_OPTION is enabled !" + else + ok "$KERNEL_OPTION is disabled" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" + else + ok "$KERNEL_OPTION is disabled, nothing to do" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.23_disable_squashfs.sh b/bin/hardening/2.23_disable_squashfs.sh new file mode 100755 index 0000000..e5a059d --- /dev/null +++ b/bin/hardening/2.23_disable_squashfs.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.23 Disable Mounting of squashfs Filesystems (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz +KERNEL_OPTION="squashfs" + + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + crit "$KERNEL_OPTION is enabled !" + else + ok "$KERNEL_OPTION is disabled" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" + else + ok "$KERNEL_OPTION is disabled, nothing to do" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/2.24_disable_udf.sh b/bin/hardening/2.24_disable_udf.sh new file mode 100755 index 0000000..e49469c --- /dev/null +++ b/bin/hardening/2.24_disable_udf.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.24 Disable Mounting of udf Filesystems (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz +KERNEL_OPTION="udf" + + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + crit "$KERNEL_OPTION is enabled !" + else + ok "$KERNEL_OPTION is disabled" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_kernel_option_enabled $KERNEL_OPTION + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + warn "I cannot fix $KERNEL_OPTION enabled, recompile your kernel please" + else + ok "$KERNEL_OPTION is disabled, nothing to do" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/2.19_disable_freevxfs.cfg b/etc/conf.d/2.19_disable_freevxfs.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.19_disable_freevxfs.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.20_disable_jffs2.cfg b/etc/conf.d/2.20_disable_jffs2.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.20_disable_jffs2.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.21_disable_hfs.cfg b/etc/conf.d/2.21_disable_hfs.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.21_disable_hfs.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.22_disable_hfsplus.cfg b/etc/conf.d/2.22_disable_hfsplus.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.22_disable_hfsplus.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.23_disable_squashfs.cfg b/etc/conf.d/2.23_disable_squashfs.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.23_disable_squashfs.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/2.24_disable_udf.cfg b/etc/conf.d/2.24_disable_udf.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.24_disable_udf.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/lib/utils.sh b/lib/utils.sh index 36e8572..59aaf68 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -7,12 +7,17 @@ is_kernel_option_enabled() { local KERNEL_OPTION=$1 - RESULT=$(zgrep -i $KERNEL_OPTION /proc/config.gz | grep -vE "^#") + RESULT=$(zgrep -i $KERNEL_OPTION /proc/config.gz | grep -vE "^#") || : ANSWER=$(cut -d = -f 2 <<< $RESULT) if [ "x$ANSWER" = "xy" ]; then + debug "Kernel option $KERNEL_OPTION enabled" FNRET=0 - else + elif [ "x$ANSWER" = "xn" ]; then + debug "Kernel option $KERNEL_OPTION disabled" FNRET=1 + else + debug "Kernel option $KERNEL_OPTION not found" + FNRET=2 # Not found fi } From f3cb9bfb16e1de136e0f49c6bf8418d481fe3635 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Thu, 7 Apr 2016 07:46:44 +0200 Subject: [PATCH 16/64] 2.25_disable_automounting.sh --- bin/hardening/2.25_disable_automounting.sh | 56 ++++++++++++++++++++++ etc/conf.d/2.25_disable_automounting.cfg | 2 + lib/utils.sh | 15 ++++++ 3 files changed, 73 insertions(+) create mode 100755 bin/hardening/2.25_disable_automounting.sh create mode 100644 etc/conf.d/2.25_disable_automounting.cfg diff --git a/bin/hardening/2.25_disable_automounting.sh b/bin/hardening/2.25_disable_automounting.sh new file mode 100755 index 0000000..e6bf641 --- /dev/null +++ b/bin/hardening/2.25_disable_automounting.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 2.25 Disable Automounting (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SERVICE_NAME="autofs" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if $SERVICE_NAME is enabled" + is_service_enabled $SERVICE_NAME + if [ $FNRET = 0 ]; then + crit "$SERVICE_NAME is enabled" + else + ok "$SERVICE_NAME is disabled" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Checking if $SERVICE_NAME is enabled" + is_service_enabled $SERVICE_NAME + if [ $FNRET = 0 ]; then + info "Disabling $SERVICE_NAME" + update-rc.d $SERVICE_NAME disable + else + ok "$SERVICE_NAME is disabled" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/2.25_disable_automounting.cfg b/etc/conf.d/2.25_disable_automounting.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/2.25_disable_automounting.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/lib/utils.sh b/lib/utils.sh index 59aaf68..5d534b3 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -1,5 +1,20 @@ # CIS Debian 7 Hardening Utility functions +# +# Service Boot Checks +# + +is_service_enabled() { + local SERVICE=$1 + if [ $(find /etc/rc?.d/ -name "S*$SERVICE" -print | wc -l) -gt 0 ]; then + debug "Service $SERVICE is enabled" + FNRET=0 + else + debug "Service $SERVICE is disabled" + FNRET=1 + fi +} + # # Kernel Options checks From f1dcd7431a68b710cbdfb5dca1781c7212b99f6a Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Thu, 7 Apr 2016 08:43:37 +0200 Subject: [PATCH 17/64] 3.1_bootloader_ownership.sh --- bin/hardening/3.1_bootloader_ownership.sh | 72 +++++++++++++++++++++++ etc/conf.d/3.1_bootloader_ownership.cfg | 2 + lib/utils.sh | 49 +++++++++++++++ 3 files changed, 123 insertions(+) create mode 100755 bin/hardening/3.1_bootloader_ownership.sh create mode 100644 etc/conf.d/3.1_bootloader_ownership.cfg diff --git a/bin/hardening/3.1_bootloader_ownership.sh b/bin/hardening/3.1_bootloader_ownership.sh new file mode 100755 index 0000000..b31250d --- /dev/null +++ b/bin/hardening/3.1_bootloader_ownership.sh @@ -0,0 +1,72 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 3.1 Set User/Group Owner on bootloader config (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Assertion : Grub Based. + +FILE='/boot/grub/grub.cfg' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + info "fixing $FILE ownership to $USER:$GROUP" + chown $USER:$GROUP $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/3.1_bootloader_ownership.cfg b/etc/conf.d/3.1_bootloader_ownership.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/3.1_bootloader_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/lib/utils.sh b/lib/utils.sh index 5d534b3..b04f2bc 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -1,5 +1,54 @@ # CIS Debian 7 Hardening Utility functions +# +# File manipulation +# + +does_file_exist() { + local FILE=$1 + if [ -e $FILE ]; then + FNRET=0 + else + FNRET=1 + fi +} + +has_file_correct_ownership() { + local FILE=$1 + local USER=$2 + local GROUP=$3 + local USERID=$(id -u $USER) + local GROUPID=$(id -u $GROUP) + + if [ "$(stat -c "%u %g" /boot/grub/grub.cfg)" = "$USERID $GROUPID" ]; then + FNRET=0 + else + FNRET=1 + fi +} + +# +# User manipulation +# + +does_user_exist() { + local USER=$1 + if $(getent passwd $USER >/dev/null 2>&1); then + FNRET=0 + else + FNRET=1 + fi +} + +does_group_exist() { + local GROUP=$1 + if $(getent group $GROUP >/dev/null 2>&1); then + FNRET=0 + else + FNRET=1 + fi +} + # # Service Boot Checks # From ce76538f64067576e51c3e3aecb3a5a33183ead2 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Mon, 11 Apr 2016 08:55:44 +0200 Subject: [PATCH 18/64] 3.1_bootloader_ownership.sh fix --- bin/hardening/3.1_bootloader_ownership.sh | 6 ++++++ lib/utils.sh | 7 ++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/bin/hardening/3.1_bootloader_ownership.sh b/bin/hardening/3.1_bootloader_ownership.sh index b31250d..044d2b0 100755 --- a/bin/hardening/3.1_bootloader_ownership.sh +++ b/bin/hardening/3.1_bootloader_ownership.sh @@ -40,6 +40,12 @@ apply () { # This function will check config parameters required check_config() { + + is_pkg_installed "grub-pc" + if [ $FNRET != 0 ]; then + warn "Grub is not installed, not handling configuration" + exit 128 + fi does_user_exist $USER if [ $FNRET != 0 ]; then crit "$USER does not exist" diff --git a/lib/utils.sh b/lib/utils.sh index b04f2bc..7020e6a 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -202,11 +202,12 @@ apt_check_updates() # Returns if a package is installed # -is_installed() +is_pkg_installed() { PKG_NAME=$1 - if `dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install '` ; then + if $(dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install ') ; then FNRET=0 + else + FNRET=1 fi - FNRET=1 } From 7a3dc9ba87fa763deff37179771dd354a1e1060f Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Mon, 11 Apr 2016 11:38:50 +0200 Subject: [PATCH 19/64] 3.2_bootloader_permissions.sh 3.3_bootloader_password.sh --- bin/hardening/3.2_bootloader_permissions.sh | 66 ++++++++++++++++++ bin/hardening/3.3_bootloader_password.sh | 76 +++++++++++++++++++++ etc/conf.d/3.1_bootloader_ownership.cfg | 2 +- etc/conf.d/3.2_bootloader_permissions.cfg | 2 + etc/conf.d/3.3_bootloader_password.cfg | 19 ++++++ lib/utils.sh | 26 ++++++- 6 files changed, 189 insertions(+), 2 deletions(-) create mode 100755 bin/hardening/3.2_bootloader_permissions.sh create mode 100755 bin/hardening/3.3_bootloader_password.sh create mode 100644 etc/conf.d/3.2_bootloader_permissions.cfg create mode 100644 etc/conf.d/3.3_bootloader_password.cfg diff --git a/bin/hardening/3.2_bootloader_permissions.sh b/bin/hardening/3.2_bootloader_permissions.sh new file mode 100755 index 0000000..1cadd62 --- /dev/null +++ b/bin/hardening/3.2_bootloader_permissions.sh @@ -0,0 +1,66 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 3.2 Set Permissions on bootloader config (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Assertion : Grub Based. + +FILE='/boot/grub/grub.cfg' +PERMISSIONS='400' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + + is_pkg_installed "grub-pc" + if [ $FNRET != 0 ]; then + warn "grub-pc is not installed, not handling configuration" + exit 128 + fi + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/3.3_bootloader_password.sh b/bin/hardening/3.3_bootloader_password.sh new file mode 100755 index 0000000..05a9ab0 --- /dev/null +++ b/bin/hardening/3.3_bootloader_password.sh @@ -0,0 +1,76 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 3.3 Set Boot Loader Password (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/boot/grub/grub.cfg' +USER_PATTERN="^set superusers" +PWD_PATTERN="^password_pbkdf2" + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_file $FILE "$USER_PATTERN" + if [ $FNRET != 0 ]; then + crit "$USER_PATTERN not present in $FILE" + else + ok "$USER_PATTERN is present in $FILE" + fi + does_pattern_exists_in_file $FILE "$PWD_PATTERN" + if [ $FNRET != 0 ]; then + crit "$PWD_PATTERN not present in $FILE" + else + ok "$PWD_PATTERN is present in $FILE" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exists_in_file $FILE "$USER_PATTERN" + if [ $FNRET != 0 ]; then + warn "$USER_PATTERN not present in $FILE, please configure password for grub" + else + ok "$USER_PATTERN is present in $FILE" + fi + does_pattern_exists_in_file $FILE "$PWD_PATTERN" + if [ $FNRET != 0 ]; then + warn "$PWD_PATTERN not present in $FILE, please configure password for grub" + else + ok "$PWD_PATTERN is present in $FILE" + fi + : +} + +# This function will check config parameters required +check_config() { + is_pkg_installed "grub-pc" + if [ $FNRET != 0 ]; then + warn "grub-pc is not installed, not handling configuration" + exit 128 + fi + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/3.1_bootloader_ownership.cfg b/etc/conf.d/3.1_bootloader_ownership.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/3.1_bootloader_ownership.cfg +++ b/etc/conf.d/3.1_bootloader_ownership.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/3.2_bootloader_permissions.cfg b/etc/conf.d/3.2_bootloader_permissions.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/3.2_bootloader_permissions.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/3.3_bootloader_password.cfg b/etc/conf.d/3.3_bootloader_password.cfg new file mode 100644 index 0000000..46413ba --- /dev/null +++ b/etc/conf.d/3.3_bootloader_password.cfg @@ -0,0 +1,19 @@ +# Configuration for script of same name +status=enabled + +###### Grub configuration example : +#~ # id +#uid=0(root) gid=0(root) groups=0(root) +#~ # ls /etc/grub.d/01_users -l +#-rwxr-xr-x 1 root root 390 Apr 11 11:04 /etc/grub.d/01_users +# +# ~ # cat /etc/grub.d/01_users +##!/bin/sh +# +## Grub password file +# +#cat << EOF +#set superusers="osp" +#password FOR_GRUB # this is a drity hack for chmod 400 by grub-mkconfig +#password_pbkdf2 osp grub.pbkdf2.sha512.10000.28AC55867740A5F1820853347EEFE3CCC67D19540BE8ACCE5E354A18DDD8D4A48AACC5F9FCAE08593B05D0E131568456F02A44F1D01C7E194635CE664410F885.07A8B0B957098D4A13B6CE77A62431945A98DCF20313AFAC86346957E6F67827B252F3BF395D82E8C25036AA89AE6BA13F946523FB02F6C3A605B3B312658D6E +#EOF diff --git a/lib/utils.sh b/lib/utils.sh index 7020e6a..ff38696 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -20,13 +20,37 @@ has_file_correct_ownership() { local USERID=$(id -u $USER) local GROUPID=$(id -u $GROUP) - if [ "$(stat -c "%u %g" /boot/grub/grub.cfg)" = "$USERID $GROUPID" ]; then + if [ "$(stat -c "%u %g" $1)" = "$USERID $GROUPID" ]; then FNRET=0 else FNRET=1 fi } +has_file_correct_permissions() { + local FILE=$1 + local PERMISSIONS=$2 + + if [ $(stat -L -c "%a" $1) = "$PERMISSIONS" ]; then + FNRET=0 + else + FNRET=1 + fi +} + +does_pattern_exists_in_file() { + local FILE=$1 + local PATTERN=$2 + + debug "Checking if $PATTERN is present in $FILE" + if $(grep -qE "$PATTERN" $FILE); then + FNRET=0 + else + FNRET=1 + fi + +} + # # User manipulation # From d0b0710b368ccf5739309225d3b218f36c4bda10 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Mon, 11 Apr 2016 13:51:54 +0200 Subject: [PATCH 20/64] 3.4_root_password.sh --- bin/hardening/3.4_root_password.sh | 55 ++++++++++++++++++++++++++ etc/conf.d/3.3_bootloader_password.cfg | 2 +- etc/conf.d/3.4_root_password.cfg | 2 + 3 files changed, 58 insertions(+), 1 deletion(-) create mode 100755 bin/hardening/3.4_root_password.sh create mode 100644 etc/conf.d/3.4_root_password.cfg diff --git a/bin/hardening/3.4_root_password.sh b/bin/hardening/3.4_root_password.sh new file mode 100755 index 0000000..af38c63 --- /dev/null +++ b/bin/hardening/3.4_root_password.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# Hardening script skeleton replace this line with proper point treated +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE="/etc/shadow" +PATTERN="^root:[*\!]:" + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET != 1 ]; then + crit "$PATTERN present in $FILE" + else + ok "$PATTERN not present in $FILE" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET != 1 ]; then + warn "$PATTERN present in $FILE, please put a root password" + else + ok "$PATTERN not present in $FILE" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/3.3_bootloader_password.cfg b/etc/conf.d/3.3_bootloader_password.cfg index 46413ba..307f40e 100644 --- a/etc/conf.d/3.3_bootloader_password.cfg +++ b/etc/conf.d/3.3_bootloader_password.cfg @@ -1,5 +1,5 @@ # Configuration for script of same name -status=enabled +status=disabled ###### Grub configuration example : #~ # id diff --git a/etc/conf.d/3.4_root_password.cfg b/etc/conf.d/3.4_root_password.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/3.4_root_password.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled From f3e537072a518b39e4819c828173deb401107c77 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Mon, 11 Apr 2016 14:55:42 +0200 Subject: [PATCH 21/64] 4.1_restrict_core_dumps.sh --- bin/hardening/4.1_restrict_core_dumps.sh | 75 ++++++++++++++++++++++++ etc/conf.d/4.1_restrict_core_dumps.cfg | 2 + lib/utils.sh | 45 ++++++++++++++ 3 files changed, 122 insertions(+) create mode 100755 bin/hardening/4.1_restrict_core_dumps.sh create mode 100644 etc/conf.d/4.1_restrict_core_dumps.cfg diff --git a/bin/hardening/4.1_restrict_core_dumps.sh b/bin/hardening/4.1_restrict_core_dumps.sh new file mode 100755 index 0000000..66fd715 --- /dev/null +++ b/bin/hardening/4.1_restrict_core_dumps.sh @@ -0,0 +1,75 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# Hardening script skeleton replace this line with proper point treated +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +LIMIT_FILE='/etc/security/limits.conf' +LIMIT_PATTERN='^\*[[:space:]]*hard[[:space:]]*core[[:space:]]*0$' +SYSCTL_PARAM='fs.suid_dumpable' +SYSCTL_EXP_RESULT=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_file $LIMIT_FILE $LIMIT_PATTERN + if [ $FNRET != 0 ]; then + crit "$LIMIT_PATTERN not present in $LIMIT_FILE" + else + ok "$LIMIT_PATTERN present in $LIMIT_FILE" + fi + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exists_in_file $LIMIT_FILE $LIMIT_PATTERN + if [ $FNRET != 0 ]; then + warn "$LIMIT_PATTERN not present in $LIMIT_FILE, addning at the end of $LIMIT_FILE" + add_end_of_file $LIMIT_FILE "* hard core 0" + else + ok "$LIMIT_PATTERN present in $LIMIT_FILE" + fi + has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT" + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/4.1_restrict_core_dumps.cfg b/etc/conf.d/4.1_restrict_core_dumps.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/4.1_restrict_core_dumps.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/lib/utils.sh b/lib/utils.sh index ff38696..6fafe73 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -1,5 +1,40 @@ # CIS Debian 7 Hardening Utility functions +# +# Sysctl Manipulation +# + +has_sysctl_param_expected_result() { + local SYSCTL_PARAM=$1 + local EXP_RESULT=$2 + + if [ "$(sysctl $SYSCTL_PARAM 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then + FNRET=0 + elif [ $? != 0 ]; then + debug "$SYSCTL_PARAM does not exist" + FNRET=255 + else + debug "$SYSCTL_PARAM has not a value of $EXP_RESULT" + FNRET=1 + fi +} + +set_sysctl_param() { + local SYSCTL_PARAM=$1 + local VALUE=$2 + debug "Setting $SYSCTL_PARAM to $VALUE" + if [ "$(sysctl -w $SYSCTL_PARAM 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then + FNRET=0 + elif [ $? != 0 ]; then + debug "$SYSCTL_PARAM does not exist" + FNRET=255 + else + warn "$SYSCTL_PARAM Failed !" + FNRET=1 + fi +} + + # # File manipulation # @@ -51,6 +86,16 @@ does_pattern_exists_in_file() { } +add_end_of_file() { + local FILE=$1 + local LINE=$2 + + debug "Adding $LINE at the end of $FILE" + backup_file "$1" + echo "$2" >> $FILE +} + + # # User manipulation # From 3596fec2df3cdc0b2219fc9f101ea79d335d46a5 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Mon, 11 Apr 2016 16:53:57 +0200 Subject: [PATCH 22/64] 4.2_enable_nx_support.sh 4.3_enable_randomized_vm_placement.sh 4.4_disable_prelink.sh 4.5_enable_apparmor.sh 5.1.1_disable_nis.sh --- bin/hardening/4.2_enable_nx_support.sh | 53 +++++++++++++++++ .../4.3_enable_randomized_vm_placement.sh | 59 +++++++++++++++++++ bin/hardening/4.4_disable_prelink.sh | 57 ++++++++++++++++++ bin/hardening/4.5_enable_apparmor.sh | 55 +++++++++++++++++ bin/hardening/5.1.1_disable_nis.sh | 55 +++++++++++++++++ etc/conf.d/4.2_enable_nx_support.cfg | 2 + .../4.3_enable_randomized_vm_placement.cfg | 2 + etc/conf.d/4.4_disable_prelink.cfg | 2 + etc/conf.d/4.5_enable_apparmor.cfg | 2 + etc/conf.d/5.1.1_disable_nis.cfg | 2 + lib/utils.sh | 18 +++++- 11 files changed, 305 insertions(+), 2 deletions(-) create mode 100755 bin/hardening/4.2_enable_nx_support.sh create mode 100755 bin/hardening/4.3_enable_randomized_vm_placement.sh create mode 100755 bin/hardening/4.4_disable_prelink.sh create mode 100755 bin/hardening/4.5_enable_apparmor.sh create mode 100755 bin/hardening/5.1.1_disable_nis.sh create mode 100644 etc/conf.d/4.2_enable_nx_support.cfg create mode 100644 etc/conf.d/4.3_enable_randomized_vm_placement.cfg create mode 100644 etc/conf.d/4.4_disable_prelink.cfg create mode 100644 etc/conf.d/4.5_enable_apparmor.cfg create mode 100644 etc/conf.d/5.1.1_disable_nis.cfg diff --git a/bin/hardening/4.2_enable_nx_support.sh b/bin/hardening/4.2_enable_nx_support.sh new file mode 100755 index 0000000..4ca2292 --- /dev/null +++ b/bin/hardening/4.2_enable_nx_support.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# Hardening script skeleton replace this line with proper point treated +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PATTERN='NX[[:space:]]\(Execute[[:space:]]Disable\)[[:space:]]protection:[[:space:]]active' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_dmesg $PATTERN + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in dmesg" + else + ok "$PATTERN present in dmesg" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exists_in_dmesg $PATTERN + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in dmesg, please go to the bios to activate this option or change for CPU compatible" + else + ok "$PATTERN present in dmesg" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/4.3_enable_randomized_vm_placement.sh b/bin/hardening/4.3_enable_randomized_vm_placement.sh new file mode 100755 index 0000000..c7204aa --- /dev/null +++ b/bin/hardening/4.3_enable_randomized_vm_placement.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# Hardening script skeleton replace this line with proper point treated +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAM='kernel.randomize_va_space' +SYSCTL_EXP_RESULT=2 + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/4.4_disable_prelink.sh b/bin/hardening/4.4_disable_prelink.sh new file mode 100755 index 0000000..52693da --- /dev/null +++ b/bin/hardening/4.4_disable_prelink.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 4.4 Disable Prelink (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='prelink' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + /usr/sbin/prelink -ua + apt-get purge $PACKAGE -y + else + ok "$PACKAGE is absent" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/4.5_enable_apparmor.sh b/bin/hardening/4.5_enable_apparmor.sh new file mode 100755 index 0000000..88b7bbc --- /dev/null +++ b/bin/hardening/4.5_enable_apparmor.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 4.5 Activate AppArmor (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='apparmor' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is absent !" + else + ok "$PACKAGE is installed" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed, please install $PACKAGE and configure it" + else + ok "$PACKAGE is installed" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.1.1_disable_nis.sh b/bin/hardening/5.1.1_disable_nis.sh new file mode 100755 index 0000000..afe81f5 --- /dev/null +++ b/bin/hardening/5.1.1_disable_nis.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.1.1 Ensure NIS is not installed (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='nis' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + else + ok "$PACKAGE is absent" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/4.2_enable_nx_support.cfg b/etc/conf.d/4.2_enable_nx_support.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/4.2_enable_nx_support.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/4.3_enable_randomized_vm_placement.cfg b/etc/conf.d/4.3_enable_randomized_vm_placement.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/4.3_enable_randomized_vm_placement.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/4.4_disable_prelink.cfg b/etc/conf.d/4.4_disable_prelink.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/4.4_disable_prelink.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/4.5_enable_apparmor.cfg b/etc/conf.d/4.5_enable_apparmor.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/4.5_enable_apparmor.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/5.1.1_disable_nis.cfg b/etc/conf.d/5.1.1_disable_nis.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/5.1.1_disable_nis.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/lib/utils.sh b/lib/utils.sh index 6fafe73..594eb70 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -10,7 +10,7 @@ has_sysctl_param_expected_result() { if [ "$(sysctl $SYSCTL_PARAM 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then FNRET=0 - elif [ $? != 0 ]; then + elif [ $? = 255 ]; then debug "$SYSCTL_PARAM does not exist" FNRET=255 else @@ -23,7 +23,7 @@ set_sysctl_param() { local SYSCTL_PARAM=$1 local VALUE=$2 debug "Setting $SYSCTL_PARAM to $VALUE" - if [ "$(sysctl -w $SYSCTL_PARAM 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then + if [ "$(sysctl -w $SYSCTL_PARAM=$VALUE 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then FNRET=0 elif [ $? != 0 ]; then debug "$SYSCTL_PARAM does not exist" @@ -34,6 +34,18 @@ set_sysctl_param() { fi } +# +# Dmesg Manipulation +# + +does_pattern_exists_in_dmesg() { + local PATTERN=$1 + if $(dmesg | grep -qE "$PATTERN"); then + FNRET=0 + else + FNRET=1 + fi +} # # File manipulation @@ -275,8 +287,10 @@ is_pkg_installed() { PKG_NAME=$1 if $(dpkg -s $PKG_NAME 2> /dev/null | grep -q '^Status: install ') ; then + debug "$PKG_NAME is installed" FNRET=0 else + debug "$PKG_NAME is not installed" FNRET=1 fi } From ef45a0d6310685eaa4267122ddbe8f9f8497a6ec Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Mon, 11 Apr 2016 17:42:31 +0200 Subject: [PATCH 23/64] 5.1.2_disable_rsh.sh 5.1.3_disable_rsh_client.sh --- bin/hardening/4.1_restrict_core_dumps.sh | 2 +- bin/hardening/4.2_enable_nx_support.sh | 2 +- .../4.3_enable_randomized_vm_placement.sh | 2 +- bin/hardening/5.1.2_disable_rsh.sh | 83 +++++++++++++++++++ bin/hardening/5.1.3_disable_rsh_client.sh | 58 +++++++++++++ etc/conf.d/4.2_enable_nx_support.cfg | 2 +- .../4.3_enable_randomized_vm_placement.cfg | 2 +- etc/conf.d/4.4_disable_prelink.cfg | 2 +- etc/conf.d/4.5_enable_apparmor.cfg | 2 +- etc/conf.d/5.1.1_disable_nis.cfg | 2 +- etc/conf.d/5.1.2_disable_rsh.cfg | 2 + etc/conf.d/5.1.3_disable_rsh_client.cfg | 2 + 12 files changed, 153 insertions(+), 8 deletions(-) create mode 100755 bin/hardening/5.1.2_disable_rsh.sh create mode 100755 bin/hardening/5.1.3_disable_rsh_client.sh create mode 100644 etc/conf.d/5.1.2_disable_rsh.cfg create mode 100644 etc/conf.d/5.1.3_disable_rsh_client.cfg diff --git a/bin/hardening/4.1_restrict_core_dumps.sh b/bin/hardening/4.1_restrict_core_dumps.sh index 66fd715..7f6a4b6 100755 --- a/bin/hardening/4.1_restrict_core_dumps.sh +++ b/bin/hardening/4.1_restrict_core_dumps.sh @@ -5,7 +5,7 @@ # # -# Hardening script skeleton replace this line with proper point treated +# 4.1 Restrict Core Dumps (Scored) # set -e # One error, it's over diff --git a/bin/hardening/4.2_enable_nx_support.sh b/bin/hardening/4.2_enable_nx_support.sh index 4ca2292..d5c4962 100755 --- a/bin/hardening/4.2_enable_nx_support.sh +++ b/bin/hardening/4.2_enable_nx_support.sh @@ -5,7 +5,7 @@ # # -# Hardening script skeleton replace this line with proper point treated +# 4.2 Enable XD/NX Support on 32-bit x86 Systems (Not Scored) # set -e # One error, it's over diff --git a/bin/hardening/4.3_enable_randomized_vm_placement.sh b/bin/hardening/4.3_enable_randomized_vm_placement.sh index c7204aa..ded11c1 100755 --- a/bin/hardening/4.3_enable_randomized_vm_placement.sh +++ b/bin/hardening/4.3_enable_randomized_vm_placement.sh @@ -5,7 +5,7 @@ # # -# Hardening script skeleton replace this line with proper point treated +# 4.3 Enable Randomized Virtual Memory Region Placement (Scored) # set -e # One error, it's over diff --git a/bin/hardening/5.1.2_disable_rsh.sh b/bin/hardening/5.1.2_disable_rsh.sh new file mode 100755 index 0000000..cf319fd --- /dev/null +++ b/bin/hardening/5.1.2_disable_rsh.sh @@ -0,0 +1,83 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.1.2 Ensure rsh server is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='rsh-server' +FILE='/etc/inetd.conf' +PATTERN='^(shell|login|exec)' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + warn "$PACKAGE is installed, checking configuration" + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + crit "$PATTERN exists, $PACKAGE services are enabled !" + else + ok "$PATTERN not present in $FILE" + fi + fi + else + ok "$PACKAGE is absent" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + else + ok "$PACKAGE is absent" + fi + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + info "$FILE exists, checking patterns" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + warn "$PATTERN present in $FILE, purging it" + backup_file $FILE + ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) + sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + else + ok "$PATTERN not present in $FILE" + fi + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.1.3_disable_rsh_client.sh b/bin/hardening/5.1.3_disable_rsh_client.sh new file mode 100755 index 0000000..72fcfa9 --- /dev/null +++ b/bin/hardening/5.1.3_disable_rsh_client.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.1.3 Ensure rsh client is not installed (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='rsh-client rsh-redone-client' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + warn "$PACKAGE is installed, purging" + apt-get purge $PACKAGE -y + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/4.2_enable_nx_support.cfg b/etc/conf.d/4.2_enable_nx_support.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/4.2_enable_nx_support.cfg +++ b/etc/conf.d/4.2_enable_nx_support.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/4.3_enable_randomized_vm_placement.cfg b/etc/conf.d/4.3_enable_randomized_vm_placement.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/4.3_enable_randomized_vm_placement.cfg +++ b/etc/conf.d/4.3_enable_randomized_vm_placement.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/4.4_disable_prelink.cfg b/etc/conf.d/4.4_disable_prelink.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/4.4_disable_prelink.cfg +++ b/etc/conf.d/4.4_disable_prelink.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/4.5_enable_apparmor.cfg b/etc/conf.d/4.5_enable_apparmor.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/4.5_enable_apparmor.cfg +++ b/etc/conf.d/4.5_enable_apparmor.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/5.1.1_disable_nis.cfg b/etc/conf.d/5.1.1_disable_nis.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/5.1.1_disable_nis.cfg +++ b/etc/conf.d/5.1.1_disable_nis.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/5.1.2_disable_rsh.cfg b/etc/conf.d/5.1.2_disable_rsh.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/5.1.2_disable_rsh.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled diff --git a/etc/conf.d/5.1.3_disable_rsh_client.cfg b/etc/conf.d/5.1.3_disable_rsh_client.cfg new file mode 100644 index 0000000..acee522 --- /dev/null +++ b/etc/conf.d/5.1.3_disable_rsh_client.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=disabled From 4698c0bc81ba26d02a315a122f9cd34cf6b7005a Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Mon, 11 Apr 2016 17:50:06 +0200 Subject: [PATCH 24/64] 5.1.4_disable_talk.sh --- bin/hardening/5.1.4_disable_talk.sh | 83 +++++++++++++++++++++++++++++ etc/conf.d/5.1.4_disable_talk.cfg | 2 + 2 files changed, 85 insertions(+) create mode 100755 bin/hardening/5.1.4_disable_talk.sh create mode 100644 etc/conf.d/5.1.4_disable_talk.cfg diff --git a/bin/hardening/5.1.4_disable_talk.sh b/bin/hardening/5.1.4_disable_talk.sh new file mode 100755 index 0000000..8bf4b9b --- /dev/null +++ b/bin/hardening/5.1.4_disable_talk.sh @@ -0,0 +1,83 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.1.2 Ensure rsh server is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='inetutils-talk' +FILE='/etc/inetd.conf' +PATTERN='^(talk|ntalk)' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + warn "$PACKAGE is installed, checking configuration" + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + crit "$PATTERN exists, $PACKAGE services are enabled !" + else + ok "$PATTERN not present in $FILE" + fi + fi + else + ok "$PACKAGE is absent" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + else + ok "$PACKAGE is absent" + fi + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + info "$FILE exists, checking patterns" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + warn "$PATTERN present in $FILE, purging it" + backup_file $FILE + ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) + sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + else + ok "$PATTERN not present in $FILE" + fi + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/5.1.4_disable_talk.cfg b/etc/conf.d/5.1.4_disable_talk.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/5.1.4_disable_talk.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From 7d2b202d1215d9eb2ac9440aa75d079df752aa88 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Tue, 12 Apr 2016 08:31:41 +0200 Subject: [PATCH 25/64] 5.1.5_disable_talk_client.sh 5.1.6_disable_telnet_server.sh 5.1.7_disable_tftp_server.sh 5.1.8_disable_inetd.sh 5.2_disable_chargen.sh 5.3_disable_daytime.sh 5.4_disable_echo.sh 5.5_disable_discard.sh 5.6_disable_time.sh 6.1_disable_xwindow_system.sh --- .../2.17_sticky_bit_world_writable_folder.sh | 2 +- bin/hardening/3.4_root_password.sh | 2 +- bin/hardening/5.1.2_disable_rsh.sh | 73 ++++++++-------- bin/hardening/5.1.4_disable_talk.sh | 75 ++++++++-------- bin/hardening/5.1.5_disable_talk_client.sh | 58 +++++++++++++ bin/hardening/5.1.6_disable_telnet_server.sh | 86 ++++++++++++++++++ bin/hardening/5.1.7_disable_tftp_server.sh | 87 +++++++++++++++++++ bin/hardening/5.1.8_disable_inetd.sh | 58 +++++++++++++ bin/hardening/5.2_disable_chargen.sh | 68 +++++++++++++++ bin/hardening/5.3_disable_daytime.sh | 68 +++++++++++++++ bin/hardening/5.4_disable_echo.sh | 68 +++++++++++++++ bin/hardening/5.5_disable_discard.sh | 68 +++++++++++++++ bin/hardening/5.6_disable_time.sh | 68 +++++++++++++++ bin/hardening/6.1_disable_xwindow_system.sh | 58 +++++++++++++ etc/conf.d/5.1.2_disable_rsh.cfg | 2 +- etc/conf.d/5.1.5_disable_talk_client.cfg | 2 + etc/conf.d/5.1.6_disable_telnet_server.cfg | 2 + etc/conf.d/5.1.7_disable_tftp_server.cfg | 2 + etc/conf.d/5.1.8_disable_inetd.cfg | 2 + etc/conf.d/5.2_disable_chargen.cfg | 2 + etc/conf.d/5.3_disable_daytime.cfg | 2 + etc/conf.d/5.4_disable_echo.cfg | 2 + etc/conf.d/5.5_disable_discard.cfg | 2 + etc/conf.d/5.6_disable_time.cfg | 2 + etc/conf.d/6.1_disable_xwindow_system.cfg | 2 + 25 files changed, 787 insertions(+), 74 deletions(-) create mode 100755 bin/hardening/5.1.5_disable_talk_client.sh create mode 100755 bin/hardening/5.1.6_disable_telnet_server.sh create mode 100755 bin/hardening/5.1.7_disable_tftp_server.sh create mode 100755 bin/hardening/5.1.8_disable_inetd.sh create mode 100755 bin/hardening/5.2_disable_chargen.sh create mode 100755 bin/hardening/5.3_disable_daytime.sh create mode 100755 bin/hardening/5.4_disable_echo.sh create mode 100755 bin/hardening/5.5_disable_discard.sh create mode 100755 bin/hardening/5.6_disable_time.sh create mode 100755 bin/hardening/6.1_disable_xwindow_system.sh create mode 100644 etc/conf.d/5.1.5_disable_talk_client.cfg create mode 100644 etc/conf.d/5.1.6_disable_telnet_server.cfg create mode 100644 etc/conf.d/5.1.7_disable_tftp_server.cfg create mode 100644 etc/conf.d/5.1.8_disable_inetd.cfg create mode 100644 etc/conf.d/5.2_disable_chargen.cfg create mode 100644 etc/conf.d/5.3_disable_daytime.cfg create mode 100644 etc/conf.d/5.4_disable_echo.cfg create mode 100644 etc/conf.d/5.5_disable_discard.cfg create mode 100644 etc/conf.d/5.6_disable_time.cfg create mode 100644 etc/conf.d/6.1_disable_xwindow_system.cfg diff --git a/bin/hardening/2.17_sticky_bit_world_writable_folder.sh b/bin/hardening/2.17_sticky_bit_world_writable_folder.sh index 99d8025..0183a36 100755 --- a/bin/hardening/2.17_sticky_bit_world_writable_folder.sh +++ b/bin/hardening/2.17_sticky_bit_world_writable_folder.sh @@ -5,7 +5,7 @@ # # -# Hardening script skeleton replace this line with proper point treated +# 2.17 Set Sticky Bit on All World-Writable Directories (Scored) # set -e # One error, it's over diff --git a/bin/hardening/3.4_root_password.sh b/bin/hardening/3.4_root_password.sh index af38c63..f37bfb0 100755 --- a/bin/hardening/3.4_root_password.sh +++ b/bin/hardening/3.4_root_password.sh @@ -5,7 +5,7 @@ # # -# Hardening script skeleton replace this line with proper point treated +# 3.4 Require Authentication for Single-User Mode (Scored) # set -e # One error, it's over diff --git a/bin/hardening/5.1.2_disable_rsh.sh b/bin/hardening/5.1.2_disable_rsh.sh index cf319fd..d86a588 100755 --- a/bin/hardening/5.1.2_disable_rsh.sh +++ b/bin/hardening/5.1.2_disable_rsh.sh @@ -11,56 +11,59 @@ set -e # One error, it's over set -u # One variable unset, it's over -PACKAGE='rsh-server' +PACKAGES='rsh-server rsh-redone-server' FILE='/etc/inetd.conf' PATTERN='^(shell|login|exec)' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - warn "$PACKAGE is installed, checking configuration" - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - does_pattern_exists_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - crit "$PATTERN exists, $PACKAGE services are enabled !" + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + warn "$PACKAGE is installed, checking configuration" + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" else - ok "$PATTERN not present in $FILE" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + crit "$PATTERN exists, $PACKAGE services are enabled !" + else + ok "$PATTERN not present in $FILE" + fi fi + else + ok "$PACKAGE is absent" fi - else - ok "$PACKAGE is absent" - fi - : + done } # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y - else - ok "$PACKAGE is absent" - fi - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - info "$FILE exists, checking patterns" - does_pattern_exists_in_file $FILE $PATTERN + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then - warn "$PATTERN present in $FILE, purging it" - backup_file $FILE - ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) - sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y else - ok "$PATTERN not present in $FILE" + ok "$PACKAGE is absent" fi - fi + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + info "$FILE exists, checking patterns" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + warn "$PATTERN present in $FILE, purging it" + backup_file $FILE + ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) + sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + else + ok "$PATTERN not present in $FILE" + fi + fi + done } # This function will check config parameters required diff --git a/bin/hardening/5.1.4_disable_talk.sh b/bin/hardening/5.1.4_disable_talk.sh index 8bf4b9b..1f5e83a 100755 --- a/bin/hardening/5.1.4_disable_talk.sh +++ b/bin/hardening/5.1.4_disable_talk.sh @@ -5,62 +5,65 @@ # # -# 5.1.2 Ensure rsh server is not enabled (Scored) +# 5.1.4 Ensure talk server is not enabled (Scored) # set -e # One error, it's over set -u # One variable unset, it's over -PACKAGE='inetutils-talk' +PACKAGES='inetutils-talkd talkd' FILE='/etc/inetd.conf' PATTERN='^(talk|ntalk)' # This function will be called if the script status is on enabled / audit mode audit () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - warn "$PACKAGE is installed, checking configuration" - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - does_pattern_exists_in_file $FILE $PATTERN - if [ $FNRET = 0 ]; then - crit "$PATTERN exists, $PACKAGE services are enabled !" + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + warn "$PACKAGE is installed, checking configuration" + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" else - ok "$PATTERN not present in $FILE" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + crit "$PATTERN exists, $PACKAGE services are enabled !" + else + ok "$PATTERN not present in $FILE" + fi fi + else + ok "$PACKAGE is absent" fi - else - ok "$PACKAGE is absent" - fi - : + done } # This function will be called if the script status is on enabled mode apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - crit "$PACKAGE is installed, purging it" - apt-get purge $PACKAGE -y - else - ok "$PACKAGE is absent" - fi - does_file_exist $FILE - if [ $FNRET != 0 ]; then - ok "$FILE does not exist" - else - info "$FILE exists, checking patterns" - does_pattern_exists_in_file $FILE $PATTERN + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE if [ $FNRET = 0 ]; then - warn "$PATTERN present in $FILE, purging it" - backup_file $FILE - ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) - sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y else - ok "$PATTERN not present in $FILE" + ok "$PACKAGE is absent" fi - fi + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + info "$FILE exists, checking patterns" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + warn "$PATTERN present in $FILE, purging it" + backup_file $FILE + ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) + sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + else + ok "$PATTERN not present in $FILE" + fi + fi + done } # This function will check config parameters required diff --git a/bin/hardening/5.1.5_disable_talk_client.sh b/bin/hardening/5.1.5_disable_talk_client.sh new file mode 100755 index 0000000..7bb9a5f --- /dev/null +++ b/bin/hardening/5.1.5_disable_talk_client.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.1.5 Ensure talk client is not installed (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='talk inetutils-talk' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + warn "$PACKAGE is installed, purging" + apt-get purge $PACKAGE -y + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.1.6_disable_telnet_server.sh b/bin/hardening/5.1.6_disable_telnet_server.sh new file mode 100755 index 0000000..cd89e14 --- /dev/null +++ b/bin/hardening/5.1.6_disable_telnet_server.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.1.6 Ensure telnet server is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='telnetd inetutils-telnetd telnetd-ssl' +FILE='/etc/inetd.conf' +PATTERN='^telnet' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + warn "$PACKAGE is installed, checking configuration" + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + crit "$PATTERN exists, $PACKAGE services are enabled !" + else + ok "$PATTERN not present in $FILE" + fi + fi + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + else + ok "$PACKAGE is absent" + fi + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + info "$FILE exists, checking patterns" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + warn "$PATTERN present in $FILE, purging it" + backup_file $FILE + ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) + sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + else + ok "$PATTERN not present in $FILE" + fi + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.1.7_disable_tftp_server.sh b/bin/hardening/5.1.7_disable_tftp_server.sh new file mode 100755 index 0000000..8f9c2e9 --- /dev/null +++ b/bin/hardening/5.1.7_disable_tftp_server.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.1.7 Ensure tftp-server is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='tftpd tftpd-hpa atftpd' +FILE='/etc/inetd.conf' +PATTERN='^tftp' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + warn "$PACKAGE is installed, checking configuration" + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + crit "$PATTERN exists, $PACKAGE services are enabled !" + else + ok "$PATTERN not present in $FILE" + fi + fi + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + else + ok "$PACKAGE is absent" + fi + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + info "$FILE exists, checking patterns" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + warn "$PATTERN present in $FILE, purging it" + backup_file $FILE + ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) + sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + echo "coucou" + else + ok "$PATTERN not present in $FILE" + fi + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.1.8_disable_inetd.sh b/bin/hardening/5.1.8_disable_inetd.sh new file mode 100755 index 0000000..f290e68 --- /dev/null +++ b/bin/hardening/5.1.8_disable_inetd.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.1.8 Ensure xinetd is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='openbsd-inetd xinetd rlinetd' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + warn "$PACKAGE is installed, purging" + apt-get purge $PACKAGE -y + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.2_disable_chargen.sh b/bin/hardening/5.2_disable_chargen.sh new file mode 100755 index 0000000..2ce2870 --- /dev/null +++ b/bin/hardening/5.2_disable_chargen.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.2 Ensure chargen is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/inetd.conf' +PATTERN='^chargen' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + crit "$PATTERN exists, chargen services are enabled !" + else + ok "$PATTERN not present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + info "$FILE exists, checking patterns" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + warn "$PATTERN present in $FILE, purging it" + backup_file $FILE + ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) + sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + else + ok "$PATTERN not present in $FILE" + fi + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.3_disable_daytime.sh b/bin/hardening/5.3_disable_daytime.sh new file mode 100755 index 0000000..cb12750 --- /dev/null +++ b/bin/hardening/5.3_disable_daytime.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.3 Ensure daytime is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/inetd.conf' +PATTERN='^daytime' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + crit "$PATTERN exists, chargen services are enabled !" + else + ok "$PATTERN not present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + info "$FILE exists, checking patterns" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + warn "$PATTERN present in $FILE, purging it" + backup_file $FILE + ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) + sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + else + ok "$PATTERN not present in $FILE" + fi + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.4_disable_echo.sh b/bin/hardening/5.4_disable_echo.sh new file mode 100755 index 0000000..d899e8f --- /dev/null +++ b/bin/hardening/5.4_disable_echo.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.4 Ensure echo is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/inetd.conf' +PATTERN='^echo' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + crit "$PATTERN exists, chargen services are enabled !" + else + ok "$PATTERN not present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + info "$FILE exists, checking patterns" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + warn "$PATTERN present in $FILE, purging it" + backup_file $FILE + ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) + sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + else + ok "$PATTERN not present in $FILE" + fi + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.5_disable_discard.sh b/bin/hardening/5.5_disable_discard.sh new file mode 100755 index 0000000..0fce91d --- /dev/null +++ b/bin/hardening/5.5_disable_discard.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.5 Ensure discard is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/inetd.conf' +PATTERN='^discard' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + crit "$PATTERN exists, chargen services are enabled !" + else + ok "$PATTERN not present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + info "$FILE exists, checking patterns" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + warn "$PATTERN present in $FILE, purging it" + backup_file $FILE + ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) + sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + else + ok "$PATTERN not present in $FILE" + fi + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/5.6_disable_time.sh b/bin/hardening/5.6_disable_time.sh new file mode 100755 index 0000000..0267904 --- /dev/null +++ b/bin/hardening/5.6_disable_time.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 5.6 Ensure time is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/inetd.conf' +PATTERN='^time' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + crit "$PATTERN exists, chargen services are enabled !" + else + ok "$PATTERN not present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + ok "$FILE does not exist" + else + info "$FILE exists, checking patterns" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + warn "$PATTERN present in $FILE, purging it" + backup_file $FILE + ESCAPED_PATTERN=$(sed "s/|\|(\|)/\\\&/g" <<< $PATTERN) + sed -ie "s/$ESCAPED_PATTERN/#&/g" $FILE + else + ok "$PATTERN not present in $FILE" + fi + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.1_disable_xwindow_system.sh b/bin/hardening/6.1_disable_xwindow_system.sh new file mode 100755 index 0000000..e95ff77 --- /dev/null +++ b/bin/hardening/6.1_disable_xwindow_system.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.1 Ensure the X Window system is not installed (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/5.1.2_disable_rsh.cfg b/etc/conf.d/5.1.2_disable_rsh.cfg index acee522..e1e4502 100644 --- a/etc/conf.d/5.1.2_disable_rsh.cfg +++ b/etc/conf.d/5.1.2_disable_rsh.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=disabled +status=enabled diff --git a/etc/conf.d/5.1.5_disable_talk_client.cfg b/etc/conf.d/5.1.5_disable_talk_client.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/5.1.5_disable_talk_client.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/5.1.6_disable_telnet_server.cfg b/etc/conf.d/5.1.6_disable_telnet_server.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/5.1.6_disable_telnet_server.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/5.1.7_disable_tftp_server.cfg b/etc/conf.d/5.1.7_disable_tftp_server.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/5.1.7_disable_tftp_server.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/5.1.8_disable_inetd.cfg b/etc/conf.d/5.1.8_disable_inetd.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/5.1.8_disable_inetd.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/5.2_disable_chargen.cfg b/etc/conf.d/5.2_disable_chargen.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/5.2_disable_chargen.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/5.3_disable_daytime.cfg b/etc/conf.d/5.3_disable_daytime.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/5.3_disable_daytime.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/5.4_disable_echo.cfg b/etc/conf.d/5.4_disable_echo.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/5.4_disable_echo.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/5.5_disable_discard.cfg b/etc/conf.d/5.5_disable_discard.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/5.5_disable_discard.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/5.6_disable_time.cfg b/etc/conf.d/5.6_disable_time.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/5.6_disable_time.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/6.1_disable_xwindow_system.cfg b/etc/conf.d/6.1_disable_xwindow_system.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/6.1_disable_xwindow_system.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From a54abb24969956055637e247d5a208e3ed63b1fc Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Tue, 12 Apr 2016 11:21:36 +0200 Subject: [PATCH 26/64] 6.2_disable_avahi_server.sh 6.3_disable_print_server.sh 6.4_disable_dhcp.sh 6.5_configure_ntp.sh 6.6_diable_ldap.sh 6.7_disable_nfs_rpc.sh 6.8_disable_dns_server.sh --- bin/hardening/4.4_disable_prelink.sh | 1 + bin/hardening/5.1.1_disable_nis.sh | 1 + bin/hardening/5.1.2_disable_rsh.sh | 1 + bin/hardening/5.1.3_disable_rsh_client.sh | 1 + bin/hardening/5.1.4_disable_talk.sh | 1 + bin/hardening/5.1.5_disable_talk_client.sh | 1 + bin/hardening/5.1.6_disable_telnet_server.sh | 1 + bin/hardening/5.1.7_disable_tftp_server.sh | 1 + bin/hardening/5.1.8_disable_inetd.sh | 1 + bin/hardening/6.1_disable_xwindow_system.sh | 1 + bin/hardening/6.2_disable_avahi_server.sh | 59 +++++++++++++ bin/hardening/6.3_disable_print_server.sh | 59 +++++++++++++ bin/hardening/6.4_disable_dhcp.sh | 59 +++++++++++++ bin/hardening/6.5_configure_ntp.sh | 87 ++++++++++++++++++++ bin/hardening/6.6_diable_ldap.sh | 59 +++++++++++++ bin/hardening/6.7_disable_nfs_rpc.sh | 59 +++++++++++++ bin/hardening/6.8_disable_dns_server.sh | 59 +++++++++++++ etc/conf.d/6.2_disable_avahi_server.cfg | 2 + etc/conf.d/6.3_disable_print_server.cfg | 2 + etc/conf.d/6.4_disable_dhcp.cfg | 2 + etc/conf.d/6.5_configure_ntp.cfg | 2 + etc/conf.d/6.6_diable_ldap.cfg | 2 + etc/conf.d/6.7_disable_nfs_rpc.cfg | 2 + etc/conf.d/6.8_disable_dns_server.cfg | 2 + lib/utils.sh | 19 ++++- 25 files changed, 483 insertions(+), 1 deletion(-) create mode 100755 bin/hardening/6.2_disable_avahi_server.sh create mode 100755 bin/hardening/6.3_disable_print_server.sh create mode 100755 bin/hardening/6.4_disable_dhcp.sh create mode 100755 bin/hardening/6.5_configure_ntp.sh create mode 100755 bin/hardening/6.6_diable_ldap.sh create mode 100755 bin/hardening/6.7_disable_nfs_rpc.sh create mode 100755 bin/hardening/6.8_disable_dns_server.sh create mode 100644 etc/conf.d/6.2_disable_avahi_server.cfg create mode 100644 etc/conf.d/6.3_disable_print_server.cfg create mode 100644 etc/conf.d/6.4_disable_dhcp.cfg create mode 100644 etc/conf.d/6.5_configure_ntp.cfg create mode 100644 etc/conf.d/6.6_diable_ldap.cfg create mode 100644 etc/conf.d/6.7_disable_nfs_rpc.cfg create mode 100644 etc/conf.d/6.8_disable_dns_server.cfg diff --git a/bin/hardening/4.4_disable_prelink.sh b/bin/hardening/4.4_disable_prelink.sh index 52693da..3770a6b 100755 --- a/bin/hardening/4.4_disable_prelink.sh +++ b/bin/hardening/4.4_disable_prelink.sh @@ -31,6 +31,7 @@ apply () { crit "$PACKAGE is installed, purging it" /usr/sbin/prelink -ua apt-get purge $PACKAGE -y + apt-get autoremove else ok "$PACKAGE is absent" fi diff --git a/bin/hardening/5.1.1_disable_nis.sh b/bin/hardening/5.1.1_disable_nis.sh index afe81f5..ddabc5b 100755 --- a/bin/hardening/5.1.1_disable_nis.sh +++ b/bin/hardening/5.1.1_disable_nis.sh @@ -30,6 +30,7 @@ apply () { if [ $FNRET = 0 ]; then crit "$PACKAGE is installed, purging it" apt-get purge $PACKAGE -y + apt-get autoremove else ok "$PACKAGE is absent" fi diff --git a/bin/hardening/5.1.2_disable_rsh.sh b/bin/hardening/5.1.2_disable_rsh.sh index d86a588..0abc6b6 100755 --- a/bin/hardening/5.1.2_disable_rsh.sh +++ b/bin/hardening/5.1.2_disable_rsh.sh @@ -45,6 +45,7 @@ apply () { if [ $FNRET = 0 ]; then crit "$PACKAGE is installed, purging it" apt-get purge $PACKAGE -y + apt-get autoremove else ok "$PACKAGE is absent" fi diff --git a/bin/hardening/5.1.3_disable_rsh_client.sh b/bin/hardening/5.1.3_disable_rsh_client.sh index 72fcfa9..5104dfc 100755 --- a/bin/hardening/5.1.3_disable_rsh_client.sh +++ b/bin/hardening/5.1.3_disable_rsh_client.sh @@ -32,6 +32,7 @@ apply () { if [ $FNRET = 0 ]; then warn "$PACKAGE is installed, purging" apt-get purge $PACKAGE -y + apt-get autoremove else ok "$PACKAGE is absent" fi diff --git a/bin/hardening/5.1.4_disable_talk.sh b/bin/hardening/5.1.4_disable_talk.sh index 1f5e83a..ffd320b 100755 --- a/bin/hardening/5.1.4_disable_talk.sh +++ b/bin/hardening/5.1.4_disable_talk.sh @@ -45,6 +45,7 @@ apply () { if [ $FNRET = 0 ]; then crit "$PACKAGE is installed, purging it" apt-get purge $PACKAGE -y + apt-get autoremove else ok "$PACKAGE is absent" fi diff --git a/bin/hardening/5.1.5_disable_talk_client.sh b/bin/hardening/5.1.5_disable_talk_client.sh index 7bb9a5f..3e5c927 100755 --- a/bin/hardening/5.1.5_disable_talk_client.sh +++ b/bin/hardening/5.1.5_disable_talk_client.sh @@ -32,6 +32,7 @@ apply () { if [ $FNRET = 0 ]; then warn "$PACKAGE is installed, purging" apt-get purge $PACKAGE -y + apt-get autoremove else ok "$PACKAGE is absent" fi diff --git a/bin/hardening/5.1.6_disable_telnet_server.sh b/bin/hardening/5.1.6_disable_telnet_server.sh index cd89e14..6329d72 100755 --- a/bin/hardening/5.1.6_disable_telnet_server.sh +++ b/bin/hardening/5.1.6_disable_telnet_server.sh @@ -45,6 +45,7 @@ apply () { if [ $FNRET = 0 ]; then crit "$PACKAGE is installed, purging it" apt-get purge $PACKAGE -y + apt-get autoremove else ok "$PACKAGE is absent" fi diff --git a/bin/hardening/5.1.7_disable_tftp_server.sh b/bin/hardening/5.1.7_disable_tftp_server.sh index 8f9c2e9..0c39f26 100755 --- a/bin/hardening/5.1.7_disable_tftp_server.sh +++ b/bin/hardening/5.1.7_disable_tftp_server.sh @@ -45,6 +45,7 @@ apply () { if [ $FNRET = 0 ]; then crit "$PACKAGE is installed, purging it" apt-get purge $PACKAGE -y + apt-get autoremove else ok "$PACKAGE is absent" fi diff --git a/bin/hardening/5.1.8_disable_inetd.sh b/bin/hardening/5.1.8_disable_inetd.sh index f290e68..bad5b8c 100755 --- a/bin/hardening/5.1.8_disable_inetd.sh +++ b/bin/hardening/5.1.8_disable_inetd.sh @@ -32,6 +32,7 @@ apply () { if [ $FNRET = 0 ]; then warn "$PACKAGE is installed, purging" apt-get purge $PACKAGE -y + apt-get autoremove else ok "$PACKAGE is absent" fi diff --git a/bin/hardening/6.1_disable_xwindow_system.sh b/bin/hardening/6.1_disable_xwindow_system.sh index e95ff77..c50b597 100755 --- a/bin/hardening/6.1_disable_xwindow_system.sh +++ b/bin/hardening/6.1_disable_xwindow_system.sh @@ -32,6 +32,7 @@ apply () { if [ $FNRET = 0 ]; then crit "$PACKAGE is installed, purging it" apt-get purge $PACKAGE -y + apt-get autoremove else ok "$PACKAGE is absent" fi diff --git a/bin/hardening/6.2_disable_avahi_server.sh b/bin/hardening/6.2_disable_avahi_server.sh new file mode 100755 index 0000000..9d24d83 --- /dev/null +++ b/bin/hardening/6.2_disable_avahi_server.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.2 Ensure Avahi Server is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='avahi-daemon libavahi-common-data libavahi-common3 libavahi-core7' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y +apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.3_disable_print_server.sh b/bin/hardening/6.3_disable_print_server.sh new file mode 100755 index 0000000..f430c7e --- /dev/null +++ b/bin/hardening/6.3_disable_print_server.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.3 Ensure print server is not enabled (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1 cups-common cups-client cups-ppdc libcupsfilters1 cups-filters cups' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y +apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.4_disable_dhcp.sh b/bin/hardening/6.4_disable_dhcp.sh new file mode 100755 index 0000000..8c1504a --- /dev/null +++ b/bin/hardening/6.4_disable_dhcp.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.4 Ensure DHCP Server is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='udhcpd isc-dhcp-server' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y +apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.5_configure_ntp.sh b/bin/hardening/6.5_configure_ntp.sh new file mode 100755 index 0000000..df3c861 --- /dev/null +++ b/bin/hardening/6.5_configure_ntp.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.5 Configure Network Time Protocol (NTP) (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='ntp' +NTP_CONF_DEFAULT_PATTERN='^restrict -4 default (kod nomodify notrap nopeer noquery|ignore)' +NTP_CONF_FILE='/etc/ntp.conf' +NTP_INIT_PATTERN='RUNASUSER=ntp' +NTP_INIT_FILE='/etc/init.d/ntp' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed, checking configuration" + does_pattern_exists_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN + if [ $FNRET != 0 ]; then + crit "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE" + else + ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE" + fi + does_pattern_exists_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN" + if [ $FNRET != 0 ]; then + crit "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE" + else + ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + info "Checking $PACKAGE configuration" + fi + does_pattern_exists_in_file $NTP_CONF_FILE $NTP_CONF_DEFAULT_PATTERN + if [ $FNRET != 0 ]; then + warn "$NTP_CONF_DEFAULT_PATTERN not found in $NTP_CONF_FILE, adding it" + backup_file $NTP_CONF_FILE + add_end_of_file $NTP_CONF_FILE "restrict -4 default kod notrap nomodify nopeer noquery" + else + ok "$NTP_CONF_DEFAULT_PATTERN found in $NTP_CONF_FILE" + fi + does_pattern_exists_in_file $NTP_INIT_FILE "^$NTP_INIT_PATTERN" + if [ $FNRET != 0 ]; then + warn "$NTP_INIT_PATTERN not found in $NTP_INIT_FILE, adding it" + backup_file $NTP_INIT_FILE + add_line_file_before_pattern $NTP_INIT_FILE $NTP_INIT_PATTERN "^UGID" + else + ok "$NTP_INIT_PATTERN found in $NTP_INIT_FILE" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.6_diable_ldap.sh b/bin/hardening/6.6_diable_ldap.sh new file mode 100755 index 0000000..1126ec9 --- /dev/null +++ b/bin/hardening/6.6_diable_ldap.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.6 Ensure LDAP is not enabled (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='slapd' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y +apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.7_disable_nfs_rpc.sh b/bin/hardening/6.7_disable_nfs_rpc.sh new file mode 100755 index 0000000..40244dd --- /dev/null +++ b/bin/hardening/6.7_disable_nfs_rpc.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.7 Ensure NFS and RPC are not enabled (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='rpcbind nfs-kernel-server' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y +apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.8_disable_dns_server.sh b/bin/hardening/6.8_disable_dns_server.sh new file mode 100755 index 0000000..b3ecb69 --- /dev/null +++ b/bin/hardening/6.8_disable_dns_server.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.8 Ensure DNS Server is not enabled (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='bind9 unbound' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y +apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/6.2_disable_avahi_server.cfg b/etc/conf.d/6.2_disable_avahi_server.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/6.2_disable_avahi_server.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/6.3_disable_print_server.cfg b/etc/conf.d/6.3_disable_print_server.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/6.3_disable_print_server.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/6.4_disable_dhcp.cfg b/etc/conf.d/6.4_disable_dhcp.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/6.4_disable_dhcp.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/6.5_configure_ntp.cfg b/etc/conf.d/6.5_configure_ntp.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/6.5_configure_ntp.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/6.6_diable_ldap.cfg b/etc/conf.d/6.6_diable_ldap.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/6.6_diable_ldap.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/6.7_disable_nfs_rpc.cfg b/etc/conf.d/6.7_disable_nfs_rpc.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/6.7_disable_nfs_rpc.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/6.8_disable_dns_server.cfg b/etc/conf.d/6.8_disable_dns_server.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/6.8_disable_dns_server.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/lib/utils.sh b/lib/utils.sh index 594eb70..50a750d 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -107,7 +107,16 @@ add_end_of_file() { echo "$2" >> $FILE } +add_line_file_before_pattern() { + local FILE=$1 + local LINE=$2 + local PATTERN=$3 + debug "Inserting $LINE before $PATTERN in $FILE" + debug "sed -i '/$PATTERN/i $LINE' $FILE" + sed -i "/$PATTERN/i $LINE" $FILE + FNRET=0 +} # # User manipulation # @@ -242,7 +251,7 @@ remount_partition() { } # -# Helper functions to work with apt +# APT manipulation # apt_update_if_needed() @@ -279,6 +288,14 @@ apt_check_updates() rm $DETAILS } +apt_install() +{ + local PACKAGE=$1 + DEBIAN_FRONTEND='noninteractive' apt-get -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install $PACKAGE -y + FNRET=0 +} + + # # Returns if a package is installed # From f408f6846e83436e2a62ed5972763df6e9db4faa Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Tue, 12 Apr 2016 17:59:17 +0200 Subject: [PATCH 27/64] 6.10_disable_http_server.sh 6.11_disable_imap_pop.sh 6.12_disable_samba.sh 6.13_diable_http_proxy.sh 6.14_disable_snmp_server.sh 6.15_mta_localhost.sh 6.9_disable_ftp.sh --- bin/hardening/5.1.2_disable_rsh.sh | 3 +- bin/hardening/5.1.3_disable_rsh_client.sh | 3 +- bin/hardening/5.1.6_disable_telnet_server.sh | 3 +- bin/hardening/6.10_disable_http_server.sh | 60 ++++++++++++++++++ bin/hardening/6.11_disable_imap_pop.sh | 60 ++++++++++++++++++ bin/hardening/6.12_disable_samba.sh | 59 +++++++++++++++++ bin/hardening/6.13_diable_http_proxy.sh | 59 +++++++++++++++++ bin/hardening/6.14_disable_snmp_server.sh | 59 +++++++++++++++++ bin/hardening/6.15_mta_localhost.sh | 66 ++++++++++++++++++++ bin/hardening/6.1_disable_xwindow_system.sh | 3 +- bin/hardening/6.2_disable_avahi_server.sh | 2 +- bin/hardening/6.3_disable_print_server.sh | 2 +- bin/hardening/6.4_disable_dhcp.sh | 2 +- bin/hardening/6.6_diable_ldap.sh | 2 +- bin/hardening/6.7_disable_nfs_rpc.sh | 2 +- bin/hardening/6.8_disable_dns_server.sh | 2 +- bin/hardening/6.9_disable_ftp.sh | 60 ++++++++++++++++++ etc/conf.d/6.10_disable_http_server.cfg | 2 + etc/conf.d/6.11_disable_imap_pop.cfg | 2 + etc/conf.d/6.12_disable_samba.cfg | 2 + etc/conf.d/6.13_diable_http_proxy.cfg | 2 + etc/conf.d/6.14_disable_snmp_server.cfg | 2 + etc/conf.d/6.15_mta_localhost.cfg | 2 + etc/conf.d/6.9_disable_ftp.cfg | 2 + 24 files changed, 451 insertions(+), 10 deletions(-) create mode 100755 bin/hardening/6.10_disable_http_server.sh create mode 100755 bin/hardening/6.11_disable_imap_pop.sh create mode 100755 bin/hardening/6.12_disable_samba.sh create mode 100755 bin/hardening/6.13_diable_http_proxy.sh create mode 100755 bin/hardening/6.14_disable_snmp_server.sh create mode 100755 bin/hardening/6.15_mta_localhost.sh create mode 100755 bin/hardening/6.9_disable_ftp.sh create mode 100644 etc/conf.d/6.10_disable_http_server.cfg create mode 100644 etc/conf.d/6.11_disable_imap_pop.cfg create mode 100644 etc/conf.d/6.12_disable_samba.cfg create mode 100644 etc/conf.d/6.13_diable_http_proxy.cfg create mode 100644 etc/conf.d/6.14_disable_snmp_server.cfg create mode 100644 etc/conf.d/6.15_mta_localhost.cfg create mode 100644 etc/conf.d/6.9_disable_ftp.cfg diff --git a/bin/hardening/5.1.2_disable_rsh.sh b/bin/hardening/5.1.2_disable_rsh.sh index 0abc6b6..802ab4b 100755 --- a/bin/hardening/5.1.2_disable_rsh.sh +++ b/bin/hardening/5.1.2_disable_rsh.sh @@ -11,7 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over -PACKAGES='rsh-server rsh-redone-server' +# Based on aptitude search '~Prsh-server' +PACKAGES='rsh-server rsh-redone-server heimdal-servers' FILE='/etc/inetd.conf' PATTERN='^(shell|login|exec)' diff --git a/bin/hardening/5.1.3_disable_rsh_client.sh b/bin/hardening/5.1.3_disable_rsh_client.sh index 5104dfc..679093a 100755 --- a/bin/hardening/5.1.3_disable_rsh_client.sh +++ b/bin/hardening/5.1.3_disable_rsh_client.sh @@ -11,7 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over -PACKAGES='rsh-client rsh-redone-client' +# Based on aptitude search '~Prsh-client', exluding ssh-client OFC +PACKAGES='rsh-client rsh-redone-client heimdal-clients' # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/5.1.6_disable_telnet_server.sh b/bin/hardening/5.1.6_disable_telnet_server.sh index 6329d72..9d7b3f6 100755 --- a/bin/hardening/5.1.6_disable_telnet_server.sh +++ b/bin/hardening/5.1.6_disable_telnet_server.sh @@ -11,7 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over -PACKAGES='telnetd inetutils-telnetd telnetd-ssl' +# Based on aptitude search '~Ptelnet-server' +PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers' FILE='/etc/inetd.conf' PATTERN='^telnet' diff --git a/bin/hardening/6.10_disable_http_server.sh b/bin/hardening/6.10_disable_http_server.sh new file mode 100755 index 0000000..72d3076 --- /dev/null +++ b/bin/hardening/6.10_disable_http_server.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.10 Ensure HTTP Server is not enabled (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Based on aptitude search '~Phttpd' +PACKAGES='nginx apache2 lighttpd micro-httpd mini-httpd yaws boa bozohttpd' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.11_disable_imap_pop.sh b/bin/hardening/6.11_disable_imap_pop.sh new file mode 100755 index 0000000..9d4b82d --- /dev/null +++ b/bin/hardening/6.11_disable_imap_pop.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.11 Ensure IMAP and POP server is not enabled (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Based on aptitude search '~Pimap-server' and aptitude search '~Ppop3-server' +PACKAGES='citadel-server courier-imap cyrus-imapd-2.4 dovecot-imapd mailutils-imap4d courier-pop cyrus-pop3d-2.4 dovecot-pop3d heimdal-servers mailutils-pop3d popa3d solid-pop3d xmail' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.12_disable_samba.sh b/bin/hardening/6.12_disable_samba.sh new file mode 100755 index 0000000..d635a34 --- /dev/null +++ b/bin/hardening/6.12_disable_samba.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.12 Ensure Samba is not enabled (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='samba' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.13_diable_http_proxy.sh b/bin/hardening/6.13_diable_http_proxy.sh new file mode 100755 index 0000000..b1a4b29 --- /dev/null +++ b/bin/hardening/6.13_diable_http_proxy.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.13 Ensure HTTP Proxy Server is not enabled (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='squid3 squid' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.14_disable_snmp_server.sh b/bin/hardening/6.14_disable_snmp_server.sh new file mode 100755 index 0000000..6eceacb --- /dev/null +++ b/bin/hardening/6.14_disable_snmp_server.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.14 Ensure SNMP Server is not enabled (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGES='snmpd' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.15_mta_localhost.sh b/bin/hardening/6.15_mta_localhost.sh new file mode 100755 index 0000000..e08325c --- /dev/null +++ b/bin/hardening/6.15_mta_localhost.sh @@ -0,0 +1,66 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.15 Configure Mail Transfer Agent for Local-Only Mode (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking netport ports opened" + eval 'RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]")' + debug "Result is $RESULT" + if [ -z "$RESULT" ]; then + ok "Nothing listens on 25 port, probably unix socket configured" + else + info "Checking $RESULT" + if $(grep -q "127.0.0.1" <<< $RESULT); then + ok "MTA is configured to localhost only" + else + crit "MTA listens worldwide" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Checking netport ports opened" + eval 'RESULT=$(netstat -an | grep LIST | grep ":25[[:space:]]")' + debug "Result is $RESULT" + if [ -z "$RESULT" ]; then + ok "Nothing listens on 25 port, probably unix socket configured" + else + info "Checking $RESULT" + if $(grep -q "127.0.0.1" <<< $RESULT); then + ok "MTA is configured to localhost only" + else + warn "MTA listens worldwide, correct this considering your MTA" + fi + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.1_disable_xwindow_system.sh b/bin/hardening/6.1_disable_xwindow_system.sh index c50b597..bd30e09 100755 --- a/bin/hardening/6.1_disable_xwindow_system.sh +++ b/bin/hardening/6.1_disable_xwindow_system.sh @@ -11,7 +11,8 @@ set -e # One error, it's over set -u # One variable unset, it's over -PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common' +# Based on aptitude search '~Pxserver' +PACKAGES='xserver-xorg-core xserver-xorg-core-dbg xserver-common xserver-xephyr xserver-xfbdev tightvncserver vnc4server fglrx-driver xvfb xserver-xorg-video-nvidia-legacy-173xx xserver-xorg-video-nvidia-legacy-96xx xnest' # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/6.2_disable_avahi_server.sh b/bin/hardening/6.2_disable_avahi_server.sh index 9d24d83..7a4a13a 100755 --- a/bin/hardening/6.2_disable_avahi_server.sh +++ b/bin/hardening/6.2_disable_avahi_server.sh @@ -32,7 +32,7 @@ apply () { if [ $FNRET = 0 ]; then crit "$PACKAGE is installed, purging it" apt-get purge $PACKAGE -y -apt-get autoremove + apt-get autoremove else ok "$PACKAGE is absent" fi diff --git a/bin/hardening/6.3_disable_print_server.sh b/bin/hardening/6.3_disable_print_server.sh index f430c7e..2a606f9 100755 --- a/bin/hardening/6.3_disable_print_server.sh +++ b/bin/hardening/6.3_disable_print_server.sh @@ -32,7 +32,7 @@ apply () { if [ $FNRET = 0 ]; then crit "$PACKAGE is installed, purging it" apt-get purge $PACKAGE -y -apt-get autoremove + apt-get autoremove else ok "$PACKAGE is absent" fi diff --git a/bin/hardening/6.4_disable_dhcp.sh b/bin/hardening/6.4_disable_dhcp.sh index 8c1504a..dcf76d9 100755 --- a/bin/hardening/6.4_disable_dhcp.sh +++ b/bin/hardening/6.4_disable_dhcp.sh @@ -32,7 +32,7 @@ apply () { if [ $FNRET = 0 ]; then crit "$PACKAGE is installed, purging it" apt-get purge $PACKAGE -y -apt-get autoremove + apt-get autoremove else ok "$PACKAGE is absent" fi diff --git a/bin/hardening/6.6_diable_ldap.sh b/bin/hardening/6.6_diable_ldap.sh index 1126ec9..9fb4f35 100755 --- a/bin/hardening/6.6_diable_ldap.sh +++ b/bin/hardening/6.6_diable_ldap.sh @@ -32,7 +32,7 @@ apply () { if [ $FNRET = 0 ]; then crit "$PACKAGE is installed, purging it" apt-get purge $PACKAGE -y -apt-get autoremove + apt-get autoremove else ok "$PACKAGE is absent" fi diff --git a/bin/hardening/6.7_disable_nfs_rpc.sh b/bin/hardening/6.7_disable_nfs_rpc.sh index 40244dd..d1f0d00 100755 --- a/bin/hardening/6.7_disable_nfs_rpc.sh +++ b/bin/hardening/6.7_disable_nfs_rpc.sh @@ -32,7 +32,7 @@ apply () { if [ $FNRET = 0 ]; then crit "$PACKAGE is installed, purging it" apt-get purge $PACKAGE -y -apt-get autoremove + apt-get autoremove else ok "$PACKAGE is absent" fi diff --git a/bin/hardening/6.8_disable_dns_server.sh b/bin/hardening/6.8_disable_dns_server.sh index b3ecb69..492a9bb 100755 --- a/bin/hardening/6.8_disable_dns_server.sh +++ b/bin/hardening/6.8_disable_dns_server.sh @@ -32,7 +32,7 @@ apply () { if [ $FNRET = 0 ]; then crit "$PACKAGE is installed, purging it" apt-get purge $PACKAGE -y -apt-get autoremove + apt-get autoremove else ok "$PACKAGE is absent" fi diff --git a/bin/hardening/6.9_disable_ftp.sh b/bin/hardening/6.9_disable_ftp.sh new file mode 100755 index 0000000..579f933 --- /dev/null +++ b/bin/hardening/6.9_disable_ftp.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# +# 6.9 Ensure FTP Server is not enabled (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Based on aptitude search '~Pftp-server' +PACKAGES='ftpd ftpd-ssl heimdal-servers inetutils-ftpd krb5-ftpd muddleftpd proftpd-basic pure-ftpd pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql twoftpd-run vsftpd wzdftpd' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed !" + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for PACKAGE in $PACKAGES; do + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + crit "$PACKAGE is installed, purging it" + apt-get purge $PACKAGE -y + apt-get autoremove + else + ok "$PACKAGE is absent" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/6.10_disable_http_server.cfg b/etc/conf.d/6.10_disable_http_server.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/6.10_disable_http_server.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/6.11_disable_imap_pop.cfg b/etc/conf.d/6.11_disable_imap_pop.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/6.11_disable_imap_pop.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/6.12_disable_samba.cfg b/etc/conf.d/6.12_disable_samba.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/6.12_disable_samba.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/6.13_diable_http_proxy.cfg b/etc/conf.d/6.13_diable_http_proxy.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/6.13_diable_http_proxy.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/6.14_disable_snmp_server.cfg b/etc/conf.d/6.14_disable_snmp_server.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/6.14_disable_snmp_server.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/6.15_mta_localhost.cfg b/etc/conf.d/6.15_mta_localhost.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/6.15_mta_localhost.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/6.9_disable_ftp.cfg b/etc/conf.d/6.9_disable_ftp.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/6.9_disable_ftp.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From 8b8547dc7de9e91c481e43f7cc0ae8055e6d57a1 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Wed, 13 Apr 2016 14:12:57 +0200 Subject: [PATCH 28/64] 6.16_disable_rsync.sh --- bin/hardening/1.1_install_updates.sh | 1 + bin/hardening/2.10_home_nodev.sh | 1 + bin/hardening/2.11_removable_device_nodev.sh | 1 + bin/hardening/2.12_removable_device_noexec.sh | 1 + bin/hardening/2.13_removable_device_nosuid.sh | 1 + bin/hardening/2.14_run_shm_nodev.sh | 1 + bin/hardening/2.15_run_shm_nosuid.sh | 1 + bin/hardening/2.16_run_shm_noexec.sh | 1 + .../2.17_sticky_bit_world_writable_folder.sh | 1 + bin/hardening/2.18_disable_cramfs.sh | 1 + bin/hardening/2.19_disable_freevxfs.sh | 1 + bin/hardening/2.1_tmp_partition.sh | 1 + bin/hardening/2.20_disable_jffs2.sh | 1 + bin/hardening/2.21_disable_hfs.sh | 1 + bin/hardening/2.22_disable_hfsplus.sh | 1 + bin/hardening/2.23_disable_squashfs.sh | 1 + bin/hardening/2.24_disable_udf.sh | 1 + bin/hardening/2.25_disable_automounting.sh | 1 + bin/hardening/2.2_tmp_nodev.sh | 1 + bin/hardening/2.3_tmp_nosuid.sh | 1 + bin/hardening/2.4_tmp_noexec.sh | 1 + bin/hardening/2.5_var_partition.sh | 1 + bin/hardening/2.6.1_var_tmp_partition.sh | 1 + bin/hardening/2.6.2_var_tmp_nodev.sh | 1 + bin/hardening/2.6.3_var_tmp_nosuid.sh | 1 + bin/hardening/2.6.4_var_tmp_noexec.sh | 1 + bin/hardening/2.7_var_log_partition.sh | 1 + bin/hardening/2.8_var_log_audit_partition.sh | 1 + bin/hardening/2.9_home_partition.sh | 1 + bin/hardening/3.1_bootloader_ownership.sh | 1 + bin/hardening/3.2_bootloader_permissions.sh | 1 + bin/hardening/3.3_bootloader_password.sh | 1 + bin/hardening/3.4_root_password.sh | 1 + bin/hardening/4.1_restrict_core_dumps.sh | 1 + bin/hardening/4.2_enable_nx_support.sh | 1 + .../4.3_enable_randomized_vm_placement.sh | 1 + bin/hardening/4.4_disable_prelink.sh | 1 + bin/hardening/4.5_enable_apparmor.sh | 1 + bin/hardening/5.1.1_disable_nis.sh | 1 + bin/hardening/5.1.2_disable_rsh.sh | 1 + bin/hardening/5.1.3_disable_rsh_client.sh | 1 + bin/hardening/5.1.4_disable_talk.sh | 1 + bin/hardening/5.1.5_disable_talk_client.sh | 1 + bin/hardening/5.1.6_disable_telnet_server.sh | 1 + bin/hardening/5.1.7_disable_tftp_server.sh | 1 + bin/hardening/5.1.8_disable_inetd.sh | 1 + bin/hardening/5.2_disable_chargen.sh | 1 + bin/hardening/5.3_disable_daytime.sh | 1 + bin/hardening/5.4_disable_echo.sh | 1 + bin/hardening/5.5_disable_discard.sh | 1 + bin/hardening/5.6_disable_time.sh | 1 + bin/hardening/6.10_disable_http_server.sh | 1 + bin/hardening/6.11_disable_imap_pop.sh | 1 + bin/hardening/6.12_disable_samba.sh | 1 + bin/hardening/6.13_diable_http_proxy.sh | 1 + bin/hardening/6.14_disable_snmp_server.sh | 1 + bin/hardening/6.15_mta_localhost.sh | 1 + bin/hardening/6.16_disable_rsync.sh | 71 +++++++++++++++++++ bin/hardening/6.1_disable_xwindow_system.sh | 1 + bin/hardening/6.2_disable_avahi_server.sh | 1 + bin/hardening/6.3_disable_print_server.sh | 1 + bin/hardening/6.4_disable_dhcp.sh | 1 + bin/hardening/6.5_configure_ntp.sh | 1 + bin/hardening/6.6_diable_ldap.sh | 1 + bin/hardening/6.7_disable_nfs_rpc.sh | 1 + bin/hardening/6.8_disable_dns_server.sh | 1 + bin/hardening/6.9_disable_ftp.sh | 1 + etc/conf.d/6.16_disable_rsync.cfg | 2 + lib/utils.sh | 12 ++++ 69 files changed, 151 insertions(+) create mode 100755 bin/hardening/6.16_disable_rsync.sh create mode 100644 etc/conf.d/6.16_disable_rsync.cfg diff --git a/bin/hardening/1.1_install_updates.sh b/bin/hardening/1.1_install_updates.sh index 70f720f..3dd2bb7 100755 --- a/bin/hardening/1.1_install_updates.sh +++ b/bin/hardening/1.1_install_updates.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.10_home_nodev.sh b/bin/hardening/2.10_home_nodev.sh index 1c8a414..75a36ed 100755 --- a/bin/hardening/2.10_home_nodev.sh +++ b/bin/hardening/2.10_home_nodev.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.11_removable_device_nodev.sh b/bin/hardening/2.11_removable_device_nodev.sh index 010a432..6015175 100755 --- a/bin/hardening/2.11_removable_device_nodev.sh +++ b/bin/hardening/2.11_removable_device_nodev.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.12_removable_device_noexec.sh b/bin/hardening/2.12_removable_device_noexec.sh index 1258880..15d64db 100755 --- a/bin/hardening/2.12_removable_device_noexec.sh +++ b/bin/hardening/2.12_removable_device_noexec.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.13_removable_device_nosuid.sh b/bin/hardening/2.13_removable_device_nosuid.sh index 351d94b..6c64b41 100755 --- a/bin/hardening/2.13_removable_device_nosuid.sh +++ b/bin/hardening/2.13_removable_device_nosuid.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.14_run_shm_nodev.sh b/bin/hardening/2.14_run_shm_nodev.sh index d58d354..5759c2d 100755 --- a/bin/hardening/2.14_run_shm_nodev.sh +++ b/bin/hardening/2.14_run_shm_nodev.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.15_run_shm_nosuid.sh b/bin/hardening/2.15_run_shm_nosuid.sh index 451944a..d5944eb 100755 --- a/bin/hardening/2.15_run_shm_nosuid.sh +++ b/bin/hardening/2.15_run_shm_nosuid.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.16_run_shm_noexec.sh b/bin/hardening/2.16_run_shm_noexec.sh index 9f111b5..3f94baf 100755 --- a/bin/hardening/2.16_run_shm_noexec.sh +++ b/bin/hardening/2.16_run_shm_noexec.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.17_sticky_bit_world_writable_folder.sh b/bin/hardening/2.17_sticky_bit_world_writable_folder.sh index 0183a36..6fbf176 100755 --- a/bin/hardening/2.17_sticky_bit_world_writable_folder.sh +++ b/bin/hardening/2.17_sticky_bit_world_writable_folder.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.18_disable_cramfs.sh b/bin/hardening/2.18_disable_cramfs.sh index e9df2c1..c937dd8 100755 --- a/bin/hardening/2.18_disable_cramfs.sh +++ b/bin/hardening/2.18_disable_cramfs.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.19_disable_freevxfs.sh b/bin/hardening/2.19_disable_freevxfs.sh index 0d43421..a662581 100755 --- a/bin/hardening/2.19_disable_freevxfs.sh +++ b/bin/hardening/2.19_disable_freevxfs.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.1_tmp_partition.sh b/bin/hardening/2.1_tmp_partition.sh index f2b5469..5161cec 100755 --- a/bin/hardening/2.1_tmp_partition.sh +++ b/bin/hardening/2.1_tmp_partition.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.20_disable_jffs2.sh b/bin/hardening/2.20_disable_jffs2.sh index c892e96..128ed16 100755 --- a/bin/hardening/2.20_disable_jffs2.sh +++ b/bin/hardening/2.20_disable_jffs2.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.21_disable_hfs.sh b/bin/hardening/2.21_disable_hfs.sh index 073e539..dc1c1d3 100755 --- a/bin/hardening/2.21_disable_hfs.sh +++ b/bin/hardening/2.21_disable_hfs.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.22_disable_hfsplus.sh b/bin/hardening/2.22_disable_hfsplus.sh index 81d47bf..3daea0d 100755 --- a/bin/hardening/2.22_disable_hfsplus.sh +++ b/bin/hardening/2.22_disable_hfsplus.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.23_disable_squashfs.sh b/bin/hardening/2.23_disable_squashfs.sh index e5a059d..5b0f089 100755 --- a/bin/hardening/2.23_disable_squashfs.sh +++ b/bin/hardening/2.23_disable_squashfs.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.24_disable_udf.sh b/bin/hardening/2.24_disable_udf.sh index e49469c..e102bdc 100755 --- a/bin/hardening/2.24_disable_udf.sh +++ b/bin/hardening/2.24_disable_udf.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.25_disable_automounting.sh b/bin/hardening/2.25_disable_automounting.sh index e6bf641..2abd21f 100755 --- a/bin/hardening/2.25_disable_automounting.sh +++ b/bin/hardening/2.25_disable_automounting.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.2_tmp_nodev.sh b/bin/hardening/2.2_tmp_nodev.sh index 6b34d0f..cd089a1 100755 --- a/bin/hardening/2.2_tmp_nodev.sh +++ b/bin/hardening/2.2_tmp_nodev.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.3_tmp_nosuid.sh b/bin/hardening/2.3_tmp_nosuid.sh index a361ca7..824eb34 100755 --- a/bin/hardening/2.3_tmp_nosuid.sh +++ b/bin/hardening/2.3_tmp_nosuid.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.4_tmp_noexec.sh b/bin/hardening/2.4_tmp_noexec.sh index 9d61da1..3971c4d 100755 --- a/bin/hardening/2.4_tmp_noexec.sh +++ b/bin/hardening/2.4_tmp_noexec.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.5_var_partition.sh b/bin/hardening/2.5_var_partition.sh index 3a0fed6..bba19c3 100755 --- a/bin/hardening/2.5_var_partition.sh +++ b/bin/hardening/2.5_var_partition.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.6.1_var_tmp_partition.sh b/bin/hardening/2.6.1_var_tmp_partition.sh index 1a1348b..57dc4e2 100755 --- a/bin/hardening/2.6.1_var_tmp_partition.sh +++ b/bin/hardening/2.6.1_var_tmp_partition.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.6.2_var_tmp_nodev.sh b/bin/hardening/2.6.2_var_tmp_nodev.sh index 2be7322..13df7e8 100755 --- a/bin/hardening/2.6.2_var_tmp_nodev.sh +++ b/bin/hardening/2.6.2_var_tmp_nodev.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.6.3_var_tmp_nosuid.sh b/bin/hardening/2.6.3_var_tmp_nosuid.sh index 992d8e6..8e745af 100755 --- a/bin/hardening/2.6.3_var_tmp_nosuid.sh +++ b/bin/hardening/2.6.3_var_tmp_nosuid.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.6.4_var_tmp_noexec.sh b/bin/hardening/2.6.4_var_tmp_noexec.sh index 223477f..6f6cf4b 100755 --- a/bin/hardening/2.6.4_var_tmp_noexec.sh +++ b/bin/hardening/2.6.4_var_tmp_noexec.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.7_var_log_partition.sh b/bin/hardening/2.7_var_log_partition.sh index 32b2c74..b05593a 100755 --- a/bin/hardening/2.7_var_log_partition.sh +++ b/bin/hardening/2.7_var_log_partition.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.8_var_log_audit_partition.sh b/bin/hardening/2.8_var_log_audit_partition.sh index 9c7bf92..721d49a 100755 --- a/bin/hardening/2.8_var_log_audit_partition.sh +++ b/bin/hardening/2.8_var_log_audit_partition.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.9_home_partition.sh b/bin/hardening/2.9_home_partition.sh index 04270db..3d3c2c5 100755 --- a/bin/hardening/2.9_home_partition.sh +++ b/bin/hardening/2.9_home_partition.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/3.1_bootloader_ownership.sh b/bin/hardening/3.1_bootloader_ownership.sh index 044d2b0..b5f8ef2 100755 --- a/bin/hardening/3.1_bootloader_ownership.sh +++ b/bin/hardening/3.1_bootloader_ownership.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/3.2_bootloader_permissions.sh b/bin/hardening/3.2_bootloader_permissions.sh index 1cadd62..2967579 100755 --- a/bin/hardening/3.2_bootloader_permissions.sh +++ b/bin/hardening/3.2_bootloader_permissions.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/3.3_bootloader_password.sh b/bin/hardening/3.3_bootloader_password.sh index 05a9ab0..8443de7 100755 --- a/bin/hardening/3.3_bootloader_password.sh +++ b/bin/hardening/3.3_bootloader_password.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/3.4_root_password.sh b/bin/hardening/3.4_root_password.sh index f37bfb0..9bef628 100755 --- a/bin/hardening/3.4_root_password.sh +++ b/bin/hardening/3.4_root_password.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/4.1_restrict_core_dumps.sh b/bin/hardening/4.1_restrict_core_dumps.sh index 7f6a4b6..c59526d 100755 --- a/bin/hardening/4.1_restrict_core_dumps.sh +++ b/bin/hardening/4.1_restrict_core_dumps.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/4.2_enable_nx_support.sh b/bin/hardening/4.2_enable_nx_support.sh index d5c4962..1a86838 100755 --- a/bin/hardening/4.2_enable_nx_support.sh +++ b/bin/hardening/4.2_enable_nx_support.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/4.3_enable_randomized_vm_placement.sh b/bin/hardening/4.3_enable_randomized_vm_placement.sh index ded11c1..03a7f71 100755 --- a/bin/hardening/4.3_enable_randomized_vm_placement.sh +++ b/bin/hardening/4.3_enable_randomized_vm_placement.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/4.4_disable_prelink.sh b/bin/hardening/4.4_disable_prelink.sh index 3770a6b..a0b9549 100755 --- a/bin/hardening/4.4_disable_prelink.sh +++ b/bin/hardening/4.4_disable_prelink.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/4.5_enable_apparmor.sh b/bin/hardening/4.5_enable_apparmor.sh index 88b7bbc..4714fbf 100755 --- a/bin/hardening/4.5_enable_apparmor.sh +++ b/bin/hardening/4.5_enable_apparmor.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.1.1_disable_nis.sh b/bin/hardening/5.1.1_disable_nis.sh index ddabc5b..01cf8d7 100755 --- a/bin/hardening/5.1.1_disable_nis.sh +++ b/bin/hardening/5.1.1_disable_nis.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.1.2_disable_rsh.sh b/bin/hardening/5.1.2_disable_rsh.sh index 802ab4b..3b6d3e5 100755 --- a/bin/hardening/5.1.2_disable_rsh.sh +++ b/bin/hardening/5.1.2_disable_rsh.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.1.3_disable_rsh_client.sh b/bin/hardening/5.1.3_disable_rsh_client.sh index 679093a..15d0b6d 100755 --- a/bin/hardening/5.1.3_disable_rsh_client.sh +++ b/bin/hardening/5.1.3_disable_rsh_client.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.1.4_disable_talk.sh b/bin/hardening/5.1.4_disable_talk.sh index ffd320b..e283fec 100755 --- a/bin/hardening/5.1.4_disable_talk.sh +++ b/bin/hardening/5.1.4_disable_talk.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.1.5_disable_talk_client.sh b/bin/hardening/5.1.5_disable_talk_client.sh index 3e5c927..c6f4b10 100755 --- a/bin/hardening/5.1.5_disable_talk_client.sh +++ b/bin/hardening/5.1.5_disable_talk_client.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.1.6_disable_telnet_server.sh b/bin/hardening/5.1.6_disable_telnet_server.sh index 9d7b3f6..61b19eb 100755 --- a/bin/hardening/5.1.6_disable_telnet_server.sh +++ b/bin/hardening/5.1.6_disable_telnet_server.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.1.7_disable_tftp_server.sh b/bin/hardening/5.1.7_disable_tftp_server.sh index 0c39f26..ae17ef1 100755 --- a/bin/hardening/5.1.7_disable_tftp_server.sh +++ b/bin/hardening/5.1.7_disable_tftp_server.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.1.8_disable_inetd.sh b/bin/hardening/5.1.8_disable_inetd.sh index bad5b8c..9a1bd52 100755 --- a/bin/hardening/5.1.8_disable_inetd.sh +++ b/bin/hardening/5.1.8_disable_inetd.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.2_disable_chargen.sh b/bin/hardening/5.2_disable_chargen.sh index 2ce2870..9fdc3c1 100755 --- a/bin/hardening/5.2_disable_chargen.sh +++ b/bin/hardening/5.2_disable_chargen.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.3_disable_daytime.sh b/bin/hardening/5.3_disable_daytime.sh index cb12750..8509fd1 100755 --- a/bin/hardening/5.3_disable_daytime.sh +++ b/bin/hardening/5.3_disable_daytime.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.4_disable_echo.sh b/bin/hardening/5.4_disable_echo.sh index d899e8f..0113670 100755 --- a/bin/hardening/5.4_disable_echo.sh +++ b/bin/hardening/5.4_disable_echo.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.5_disable_discard.sh b/bin/hardening/5.5_disable_discard.sh index 0fce91d..77601fa 100755 --- a/bin/hardening/5.5_disable_discard.sh +++ b/bin/hardening/5.5_disable_discard.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.6_disable_time.sh b/bin/hardening/5.6_disable_time.sh index 0267904..106dc69 100755 --- a/bin/hardening/5.6_disable_time.sh +++ b/bin/hardening/5.6_disable_time.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.10_disable_http_server.sh b/bin/hardening/6.10_disable_http_server.sh index 72d3076..8909daa 100755 --- a/bin/hardening/6.10_disable_http_server.sh +++ b/bin/hardening/6.10_disable_http_server.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.11_disable_imap_pop.sh b/bin/hardening/6.11_disable_imap_pop.sh index 9d4b82d..a7dec19 100755 --- a/bin/hardening/6.11_disable_imap_pop.sh +++ b/bin/hardening/6.11_disable_imap_pop.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.12_disable_samba.sh b/bin/hardening/6.12_disable_samba.sh index d635a34..b696c4e 100755 --- a/bin/hardening/6.12_disable_samba.sh +++ b/bin/hardening/6.12_disable_samba.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.13_diable_http_proxy.sh b/bin/hardening/6.13_diable_http_proxy.sh index b1a4b29..c923be9 100755 --- a/bin/hardening/6.13_diable_http_proxy.sh +++ b/bin/hardening/6.13_diable_http_proxy.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.14_disable_snmp_server.sh b/bin/hardening/6.14_disable_snmp_server.sh index 6eceacb..6754f73 100755 --- a/bin/hardening/6.14_disable_snmp_server.sh +++ b/bin/hardening/6.14_disable_snmp_server.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.15_mta_localhost.sh b/bin/hardening/6.15_mta_localhost.sh index e08325c..4651471 100755 --- a/bin/hardening/6.15_mta_localhost.sh +++ b/bin/hardening/6.15_mta_localhost.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.16_disable_rsync.sh b/bin/hardening/6.16_disable_rsync.sh new file mode 100755 index 0000000..5007e13 --- /dev/null +++ b/bin/hardening/6.16_disable_rsync.sh @@ -0,0 +1,71 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 6.16 Ensure rsync service is not enabled (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='rsync' +RSYNC_DEFAULT_PATTERN='RSYNC_ENABLE=false' +RSYNC_DEFAULT_FILE='/etc/default/rsync' +RSYNC_DEFAULT_PATTERN_TO_SEARCH='RSYNC_ENABLE=true' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + ok "$PACKAGE is not installed" + else + ok "$PACKAGE is installed, checking configuration" + does_pattern_exists_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" + if [ $FNRET != 0 ]; then + crit "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE" + else + ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + ok "$PACKAGE is not installed" + else + ok "$PACKAGE is installed, checking configuration" + does_pattern_exists_in_file $RSYNC_DEFAULT_FILE "^$RSYNC_DEFAULT_PATTERN" + if [ $FNRET != 0 ]; then + warn "$RSYNC_DEFAULT_PATTERN not found in $RSYNC_DEFAULT_FILE, adding it" + backup_file $RSYNC_DEFAULT_FILE + replace_in_file $RSYNC_DEFAULT_FILE $RSYNC_DEFAULT_PATTERN_TO_SEARCH $RSYNC_DEFAULT_PATTERN + else + ok "$RSYNC_DEFAULT_PATTERN found in $RSYNC_DEFAULT_FILE" + fi + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/6.1_disable_xwindow_system.sh b/bin/hardening/6.1_disable_xwindow_system.sh index bd30e09..65ae917 100755 --- a/bin/hardening/6.1_disable_xwindow_system.sh +++ b/bin/hardening/6.1_disable_xwindow_system.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.2_disable_avahi_server.sh b/bin/hardening/6.2_disable_avahi_server.sh index 7a4a13a..d548b90 100755 --- a/bin/hardening/6.2_disable_avahi_server.sh +++ b/bin/hardening/6.2_disable_avahi_server.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.3_disable_print_server.sh b/bin/hardening/6.3_disable_print_server.sh index 2a606f9..80224a4 100755 --- a/bin/hardening/6.3_disable_print_server.sh +++ b/bin/hardening/6.3_disable_print_server.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.4_disable_dhcp.sh b/bin/hardening/6.4_disable_dhcp.sh index dcf76d9..4cd9d48 100755 --- a/bin/hardening/6.4_disable_dhcp.sh +++ b/bin/hardening/6.4_disable_dhcp.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.5_configure_ntp.sh b/bin/hardening/6.5_configure_ntp.sh index df3c861..cad9deb 100755 --- a/bin/hardening/6.5_configure_ntp.sh +++ b/bin/hardening/6.5_configure_ntp.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.6_diable_ldap.sh b/bin/hardening/6.6_diable_ldap.sh index 9fb4f35..75bf546 100755 --- a/bin/hardening/6.6_diable_ldap.sh +++ b/bin/hardening/6.6_diable_ldap.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.7_disable_nfs_rpc.sh b/bin/hardening/6.7_disable_nfs_rpc.sh index d1f0d00..2c0a0d0 100755 --- a/bin/hardening/6.7_disable_nfs_rpc.sh +++ b/bin/hardening/6.7_disable_nfs_rpc.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.8_disable_dns_server.sh b/bin/hardening/6.8_disable_dns_server.sh index 492a9bb..a2bcbac 100755 --- a/bin/hardening/6.8_disable_dns_server.sh +++ b/bin/hardening/6.8_disable_dns_server.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.9_disable_ftp.sh b/bin/hardening/6.9_disable_ftp.sh index 579f933..ea58eaf 100755 --- a/bin/hardening/6.9_disable_ftp.sh +++ b/bin/hardening/6.9_disable_ftp.sh @@ -2,6 +2,7 @@ # # CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH # # diff --git a/etc/conf.d/6.16_disable_rsync.cfg b/etc/conf.d/6.16_disable_rsync.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/6.16_disable_rsync.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/lib/utils.sh b/lib/utils.sh index 50a750d..781e045 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -117,6 +117,18 @@ add_line_file_before_pattern() { sed -i "/$PATTERN/i $LINE" $FILE FNRET=0 } + +replace_in_file() { + local FILE=$1 + local SOURCE=$2 + local DESTINATION=$3 + + debug "Replacing $SOURCE to $DESTINATION in $FILE" + debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE" + sed -i "s/$SOURCE/$DESTINATION/g" $FILE + FNRET=0 +} + # # User manipulation # From 3ac82210f0e16a284a9686a5ee108da10fb4d1ad Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Wed, 13 Apr 2016 14:54:35 +0200 Subject: [PATCH 29/64] 7.1.1_disable_ip_forwarding.sh 7.1.2_disable_send_packet_redirects.sh --- bin/hardening/7.1.1_disable_ip_forwarding.sh | 61 ++++++++++++++++ .../7.1.2_disable_send_packet_redirects.sh | 71 +++++++++++++++++++ etc/conf.d/7.1.1_disable_ip_forwarding.cfg | 2 + .../7.1.2_disable_send_packet_redirects.cfg | 2 + lib/utils.sh | 2 +- 5 files changed, 137 insertions(+), 1 deletion(-) create mode 100755 bin/hardening/7.1.1_disable_ip_forwarding.sh create mode 100755 bin/hardening/7.1.2_disable_send_packet_redirects.sh create mode 100644 etc/conf.d/7.1.1_disable_ip_forwarding.cfg create mode 100644 etc/conf.d/7.1.2_disable_send_packet_redirects.cfg diff --git a/bin/hardening/7.1.1_disable_ip_forwarding.sh b/bin/hardening/7.1.1_disable_ip_forwarding.sh new file mode 100755 index 0000000..47ef9d9 --- /dev/null +++ b/bin/hardening/7.1.1_disable_ip_forwarding.sh @@ -0,0 +1,61 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.1.1 Disable IP Forwarding (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAM='net.ipv4.ip_forward' +SYSCTL_EXP_RESULT=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.1.2_disable_send_packet_redirects.sh b/bin/hardening/7.1.2_disable_send_packet_redirects.sh new file mode 100755 index 0000000..2fcd772 --- /dev/null +++ b/bin/hardening/7.1.2_disable_send_packet_redirects.sh @@ -0,0 +1,71 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.1.2 Disable Send Packet Redirects (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over +#net.ipv4.conf.all.send_redirects = 0 +#net.ipv4.conf.default.send_redirects = 0 +SYSCTL_PARAMS='net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/7.1.1_disable_ip_forwarding.cfg b/etc/conf.d/7.1.1_disable_ip_forwarding.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.1.1_disable_ip_forwarding.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.1.2_disable_send_packet_redirects.cfg b/etc/conf.d/7.1.2_disable_send_packet_redirects.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.1.2_disable_send_packet_redirects.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/lib/utils.sh b/lib/utils.sh index 781e045..db46e5d 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -25,7 +25,7 @@ set_sysctl_param() { debug "Setting $SYSCTL_PARAM to $VALUE" if [ "$(sysctl -w $SYSCTL_PARAM=$VALUE 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then FNRET=0 - elif [ $? != 0 ]; then + elif [ $? = 255 ]; then debug "$SYSCTL_PARAM does not exist" FNRET=255 else From 4aaa87b709708a7e2d9e53a453301f6c70692c4e Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Wed, 13 Apr 2016 15:48:03 +0200 Subject: [PATCH 30/64] 7.2.1_disable_source_routed_packets.sh 7.2.2_disable_icmp_redirect.sh 7.2.3_disable_secure_icmp_redirect.sh 7.2.4_log_martian_packets.sh --- .../7.2.1_disable_source_routed_packets.sh | 70 +++++++++++++++++++ bin/hardening/7.2.2_disable_icmp_redirect.sh | 70 +++++++++++++++++++ .../7.2.3_disable_secure_icmp_redirect.sh | 70 +++++++++++++++++++ bin/hardening/7.2.4_log_martian_packets.sh | 70 +++++++++++++++++++ .../7.2.1_disable_source_routed_packets.cfg | 2 + etc/conf.d/7.2.2_disable_icmp_redirect.cfg | 2 + .../7.2.3_disable_secure_icmp_redirect.cfg | 2 + etc/conf.d/7.2.4_log_martian_packets.cfg | 2 + 8 files changed, 288 insertions(+) create mode 100755 bin/hardening/7.2.1_disable_source_routed_packets.sh create mode 100755 bin/hardening/7.2.2_disable_icmp_redirect.sh create mode 100755 bin/hardening/7.2.3_disable_secure_icmp_redirect.sh create mode 100755 bin/hardening/7.2.4_log_martian_packets.sh create mode 100644 etc/conf.d/7.2.1_disable_source_routed_packets.cfg create mode 100644 etc/conf.d/7.2.2_disable_icmp_redirect.cfg create mode 100644 etc/conf.d/7.2.3_disable_secure_icmp_redirect.cfg create mode 100644 etc/conf.d/7.2.4_log_martian_packets.cfg diff --git a/bin/hardening/7.2.1_disable_source_routed_packets.sh b/bin/hardening/7.2.1_disable_source_routed_packets.sh new file mode 100755 index 0000000..521e14b --- /dev/null +++ b/bin/hardening/7.2.1_disable_source_routed_packets.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.2.1 Disable Source Routed Packet Acceptance (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAMS='net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.2.2_disable_icmp_redirect.sh b/bin/hardening/7.2.2_disable_icmp_redirect.sh new file mode 100755 index 0000000..9b29b30 --- /dev/null +++ b/bin/hardening/7.2.2_disable_icmp_redirect.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.2.2 Disable ICMP Redirect Acceptance (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAMS='net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.2.3_disable_secure_icmp_redirect.sh b/bin/hardening/7.2.3_disable_secure_icmp_redirect.sh new file mode 100755 index 0000000..0ab668e --- /dev/null +++ b/bin/hardening/7.2.3_disable_secure_icmp_redirect.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.2.3 Disable Secure ICMP Redirect Acceptance (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAMS='net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.2.4_log_martian_packets.sh b/bin/hardening/7.2.4_log_martian_packets.sh new file mode 100755 index 0000000..464fa36 --- /dev/null +++ b/bin/hardening/7.2.4_log_martian_packets.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.2.4 Log Suspicious Packets (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAMS='net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/7.2.1_disable_source_routed_packets.cfg b/etc/conf.d/7.2.1_disable_source_routed_packets.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.2.1_disable_source_routed_packets.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.2.2_disable_icmp_redirect.cfg b/etc/conf.d/7.2.2_disable_icmp_redirect.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.2.2_disable_icmp_redirect.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.2.3_disable_secure_icmp_redirect.cfg b/etc/conf.d/7.2.3_disable_secure_icmp_redirect.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.2.3_disable_secure_icmp_redirect.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.2.4_log_martian_packets.cfg b/etc/conf.d/7.2.4_log_martian_packets.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.2.4_log_martian_packets.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From c119e8d0f2711d2bee0f8226aa4ce65672629bea Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Wed, 13 Apr 2016 16:07:16 +0200 Subject: [PATCH 31/64] 7.2.5_ignore_broadcast_requests.sh 7.2.6_enable_bad_error_message_protection.sh 7.2.7_enable_source_route_validation.sh 7.2.8_enable_tcp_syn_cookies.sh --- .../7.2.5_ignore_broadcast_requests.sh | 70 +++++++++++++++++++ ...2.6_enable_bad_error_message_protection.sh | 70 +++++++++++++++++++ .../7.2.7_enable_source_route_validation.sh | 70 +++++++++++++++++++ bin/hardening/7.2.8_enable_tcp_syn_cookies.sh | 70 +++++++++++++++++++ .../7.2.5_ignore_broadcast_requests.cfg | 2 + ....6_enable_bad_error_message_protection.cfg | 2 + .../7.2.7_enable_source_route_validation.cfg | 2 + etc/conf.d/7.2.8_enable_tcp_syn_cookies.cfg | 2 + 8 files changed, 288 insertions(+) create mode 100755 bin/hardening/7.2.5_ignore_broadcast_requests.sh create mode 100755 bin/hardening/7.2.6_enable_bad_error_message_protection.sh create mode 100755 bin/hardening/7.2.7_enable_source_route_validation.sh create mode 100755 bin/hardening/7.2.8_enable_tcp_syn_cookies.sh create mode 100644 etc/conf.d/7.2.5_ignore_broadcast_requests.cfg create mode 100644 etc/conf.d/7.2.6_enable_bad_error_message_protection.cfg create mode 100644 etc/conf.d/7.2.7_enable_source_route_validation.cfg create mode 100644 etc/conf.d/7.2.8_enable_tcp_syn_cookies.cfg diff --git a/bin/hardening/7.2.5_ignore_broadcast_requests.sh b/bin/hardening/7.2.5_ignore_broadcast_requests.sh new file mode 100755 index 0000000..56475b1 --- /dev/null +++ b/bin/hardening/7.2.5_ignore_broadcast_requests.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.2.5 Enable Ignore Broadcast Requests (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAMS='net.ipv4.icmp_echo_ignore_broadcasts=1' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.2.6_enable_bad_error_message_protection.sh b/bin/hardening/7.2.6_enable_bad_error_message_protection.sh new file mode 100755 index 0000000..c964383 --- /dev/null +++ b/bin/hardening/7.2.6_enable_bad_error_message_protection.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.2.6 Enable Bad Error Message Protection (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAMS='net.ipv4.icmp_ignore_bogus_error_responses=1' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.2.7_enable_source_route_validation.sh b/bin/hardening/7.2.7_enable_source_route_validation.sh new file mode 100755 index 0000000..5a7e8d8 --- /dev/null +++ b/bin/hardening/7.2.7_enable_source_route_validation.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.2.7 Enable RFC-recommended Source Route Validation (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAMS='net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.2.8_enable_tcp_syn_cookies.sh b/bin/hardening/7.2.8_enable_tcp_syn_cookies.sh new file mode 100755 index 0000000..69503fb --- /dev/null +++ b/bin/hardening/7.2.8_enable_tcp_syn_cookies.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.2.8 Enable TCP SYN Cookies (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAMS='net.ipv4.tcp_syncookies=1' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/7.2.5_ignore_broadcast_requests.cfg b/etc/conf.d/7.2.5_ignore_broadcast_requests.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.2.5_ignore_broadcast_requests.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.2.6_enable_bad_error_message_protection.cfg b/etc/conf.d/7.2.6_enable_bad_error_message_protection.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.2.6_enable_bad_error_message_protection.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.2.7_enable_source_route_validation.cfg b/etc/conf.d/7.2.7_enable_source_route_validation.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.2.7_enable_source_route_validation.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.2.8_enable_tcp_syn_cookies.cfg b/etc/conf.d/7.2.8_enable_tcp_syn_cookies.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.2.8_enable_tcp_syn_cookies.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From 115de36b340ea4d92d8abc728f341282706b1ccf Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Wed, 13 Apr 2016 17:41:10 +0200 Subject: [PATCH 32/64] 7.3.1_disable_ipv6_router_advertisement.sh --- ...7.3.1_disable_ipv6_router_advertisement.sh | 80 +++++++++++++++++++ ....3.1_disable_ipv6_router_advertisement.cfg | 2 + lib/utils.sh | 33 ++++++-- 3 files changed, 109 insertions(+), 6 deletions(-) create mode 100755 bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh create mode 100644 etc/conf.d/7.3.1_disable_ipv6_router_advertisement.cfg diff --git a/bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh b/bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh new file mode 100755 index 0000000..5903ad7 --- /dev/null +++ b/bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.3.1 Disable IPv6 Router Advertisements (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_sysctl_param_exists "net.ipv6" + if [ $FNRET != 0 ]; then + ok "ipv6 is disabled" + else + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_sysctl_param_exists "net.ipv6" + if [ $FNRET != 0 ]; then + ok "ipv6 is disabled" + else + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/7.3.1_disable_ipv6_router_advertisement.cfg b/etc/conf.d/7.3.1_disable_ipv6_router_advertisement.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.3.1_disable_ipv6_router_advertisement.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/lib/utils.sh b/lib/utils.sh index db46e5d..25905bd 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -1,7 +1,7 @@ # CIS Debian 7 Hardening Utility functions # -# Sysctl Manipulation +# Sysctl # has_sysctl_param_expected_result() { @@ -19,6 +19,16 @@ has_sysctl_param_expected_result() { fi } +does_sysctl_param_exists() { + local SYSCTL_PARAM=$1 + if [ "$(sysctl -a 2>/dev/null |grep "$SYSCTL_PARAM" -c)" = 0 ]; then + FNRET=1 + else + FNRET=0 + fi +} + + set_sysctl_param() { local SYSCTL_PARAM=$1 local VALUE=$2 @@ -35,7 +45,18 @@ set_sysctl_param() { } # -# Dmesg Manipulation +# Network +# + +is_ipv6_disabled_by_bootloader() { + #if + # + : +} + + +# +# Dmesg # does_pattern_exists_in_dmesg() { @@ -48,7 +69,7 @@ does_pattern_exists_in_dmesg() { } # -# File manipulation +# File # does_file_exist() { @@ -130,7 +151,7 @@ replace_in_file() { } # -# User manipulation +# Users and groups # does_user_exist() { @@ -188,7 +209,7 @@ is_kernel_option_enabled() { } # -# Mounting point manipulation +# Mounting point # # Verify $1 is a partition declared in fstab @@ -263,7 +284,7 @@ remount_partition() { } # -# APT manipulation +# APT # apt_update_if_needed() From 0820c89dc5f08cfa8e72caca748485e2395c35c5 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Wed, 13 Apr 2016 17:47:25 +0200 Subject: [PATCH 33/64] 7.3.2_disable_ipv6_redirect.sh --- bin/hardening/7.3.2_disable_ipv6_redirect.sh | 80 ++++++++++++++++++++ etc/conf.d/7.3.2_disable_ipv6_redirect.cfg | 2 + 2 files changed, 82 insertions(+) create mode 100755 bin/hardening/7.3.2_disable_ipv6_redirect.sh create mode 100644 etc/conf.d/7.3.2_disable_ipv6_redirect.cfg diff --git a/bin/hardening/7.3.2_disable_ipv6_redirect.sh b/bin/hardening/7.3.2_disable_ipv6_redirect.sh new file mode 100755 index 0000000..594bbd3 --- /dev/null +++ b/bin/hardening/7.3.2_disable_ipv6_redirect.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.3.2 Disable IPv6 Redirect Acceptance (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAMS='net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_sysctl_param_exists "net.ipv6" + if [ $FNRET != 0 ]; then + ok "ipv6 is disabled" + else + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_sysctl_param_exists "net.ipv6" + if [ $FNRET != 0 ]; then + ok "ipv6 is disabled" + else + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + sysctl -w net.ipv4.route.flush=1 > /dev/null + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/7.3.2_disable_ipv6_redirect.cfg b/etc/conf.d/7.3.2_disable_ipv6_redirect.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.3.2_disable_ipv6_redirect.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From 0cf8bd3dd83a191cd9f24c20c237ad22c5aafa6b Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Wed, 13 Apr 2016 21:19:26 +0200 Subject: [PATCH 34/64] 7.3.3_disable_ipv6.sh --- bin/hardening/7.3.3_disable_ipv6.sh | 80 +++++++++++++++++++++++++++++ etc/conf.d/7.3.3_disable_ipv6.cfg | 2 + 2 files changed, 82 insertions(+) create mode 100755 bin/hardening/7.3.3_disable_ipv6.sh create mode 100644 etc/conf.d/7.3.3_disable_ipv6.cfg diff --git a/bin/hardening/7.3.3_disable_ipv6.sh b/bin/hardening/7.3.3_disable_ipv6.sh new file mode 100755 index 0000000..a1a325d --- /dev/null +++ b/bin/hardening/7.3.3_disable_ipv6.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.3.3 Disable IPv6 (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_sysctl_param_exists "net.ipv6" + if [ $FNRET != 0 ]; then + ok "ipv6 is disabled" + else + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + crit "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value !" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_sysctl_param_exists "net.ipv6" + if [ $FNRET != 0 ]; then + ok "ipv6 is disabled" + else + for SYSCTL_VALUES in $SYSCTL_PARAMS; do + SYSCTL_PARAM=$(echo $SYSCTL_VALUES | cut -d= -f 1) + SYSCTL_EXP_RESULT=$(echo $SYSCTL_VALUES | cut -d= -f 2) + debug "$SYSCTL_PARAM must have $SYSCTL_EXP_RESULT" + has_sysctl_param_expected_result $SYSCTL_PARAM $SYSCTL_EXP_RESULT + if [ $FNRET != 0 ]; then + warn "$SYSCTL_PARAM has not $SYSCTL_EXP_RESULT value, correcting it" + set_sysctl_param $SYSCTL_PARAM $SYSCTL_EXP_RESULT + warn "you may want to reboot or sysctl -p a file including $SYSCTL_PARAMS" + elif [ $FNRET = 255 ]; then + warn "$SYSCTL_PARAM does not exist, typo ?" + else + ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT" + fi + done + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/7.3.3_disable_ipv6.cfg b/etc/conf.d/7.3.3_disable_ipv6.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.3.3_disable_ipv6.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From c5f2b41421e65805cf21b5e51390a9def2f68a81 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Wed, 13 Apr 2016 22:51:18 +0200 Subject: [PATCH 35/64] 7.4.1_install_tcp_wrapper.sh 7.4.2_hosts_allow.sh 7.4.3_hosts_allow_permissions.sh 7.4.4_hosts_deny.sh 7.4.5_hosts_deny_permissions.sh 7.5.1_disable_dccp.sh 7.5.2_disable_sctp.sh 7.5.3_disable_rds.sh 7.5.4_disable_tipc.sh 7.6_disable_wireless.sh 7.7_enable_firewall.sh 8.0_install_auditd.sh 8.1.1.1_audit_log_storage.sh --- bin/hardening/7.4.1_install_tcp_wrapper.sh | 55 +++++++++++++++ bin/hardening/7.4.2_hosts_allow.sh | 56 +++++++++++++++ .../7.4.3_hosts_allow_permissions.sh | 56 +++++++++++++++ bin/hardening/7.4.4_hosts_deny.sh | 70 +++++++++++++++++++ bin/hardening/7.4.5_hosts_deny_permissions.sh | 56 +++++++++++++++ bin/hardening/7.5.1_disable_dccp.sh | 42 +++++++++++ bin/hardening/7.5.2_disable_sctp.sh | 42 +++++++++++ bin/hardening/7.5.3_disable_rds.sh | 42 +++++++++++ bin/hardening/7.5.4_disable_tipc.sh | 42 +++++++++++ bin/hardening/7.6_disable_wireless.sh | 42 +++++++++++ bin/hardening/7.7_enable_firewall.sh | 58 +++++++++++++++ bin/hardening/8.0_install_auditd.sh | 57 +++++++++++++++ bin/hardening/8.1.1.1_audit_log_storage.sh | 70 +++++++++++++++++++ etc/conf.d/7.4.1_install_tcp_wrapper.cfg | 2 + etc/conf.d/7.4.2_hosts_allow.cfg | 2 + etc/conf.d/7.4.3_hosts_allow_permissions.cfg | 2 + etc/conf.d/7.4.4_hosts_deny.cfg | 2 + etc/conf.d/7.4.5_hosts_deny_permissions.cfg | 2 + etc/conf.d/7.5.1_disable_dccp.cfg | 2 + etc/conf.d/7.5.2_disable_sctp.cfg | 2 + etc/conf.d/7.6_disable_wireless.cfg | 2 + etc/conf.d/7.7_enable_firewall.cfg | 2 + etc/conf.d/8.0_install_auditd.cfg | 2 + etc/conf.d/8.1.1.1_audit_log_storage.cfg | 2 + 24 files changed, 710 insertions(+) create mode 100755 bin/hardening/7.4.1_install_tcp_wrapper.sh create mode 100755 bin/hardening/7.4.2_hosts_allow.sh create mode 100755 bin/hardening/7.4.3_hosts_allow_permissions.sh create mode 100755 bin/hardening/7.4.4_hosts_deny.sh create mode 100755 bin/hardening/7.4.5_hosts_deny_permissions.sh create mode 100755 bin/hardening/7.5.1_disable_dccp.sh create mode 100755 bin/hardening/7.5.2_disable_sctp.sh create mode 100755 bin/hardening/7.5.3_disable_rds.sh create mode 100755 bin/hardening/7.5.4_disable_tipc.sh create mode 100755 bin/hardening/7.6_disable_wireless.sh create mode 100755 bin/hardening/7.7_enable_firewall.sh create mode 100755 bin/hardening/8.0_install_auditd.sh create mode 100755 bin/hardening/8.1.1.1_audit_log_storage.sh create mode 100644 etc/conf.d/7.4.1_install_tcp_wrapper.cfg create mode 100644 etc/conf.d/7.4.2_hosts_allow.cfg create mode 100644 etc/conf.d/7.4.3_hosts_allow_permissions.cfg create mode 100644 etc/conf.d/7.4.4_hosts_deny.cfg create mode 100644 etc/conf.d/7.4.5_hosts_deny_permissions.cfg create mode 100644 etc/conf.d/7.5.1_disable_dccp.cfg create mode 100644 etc/conf.d/7.5.2_disable_sctp.cfg create mode 100644 etc/conf.d/7.6_disable_wireless.cfg create mode 100644 etc/conf.d/7.7_enable_firewall.cfg create mode 100644 etc/conf.d/8.0_install_auditd.cfg create mode 100644 etc/conf.d/8.1.1.1_audit_log_storage.cfg diff --git a/bin/hardening/7.4.1_install_tcp_wrapper.sh b/bin/hardening/7.4.1_install_tcp_wrapper.sh new file mode 100755 index 0000000..751eeda --- /dev/null +++ b/bin/hardening/7.4.1_install_tcp_wrapper.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.4.1 Install TCP Wrappers (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='tcpd' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.4.2_hosts_allow.sh b/bin/hardening/7.4.2_hosts_allow.sh new file mode 100755 index 0000000..a0de311 --- /dev/null +++ b/bin/hardening/7.4.2_hosts_allow.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.4.2 Create /etc/hosts.allow (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/hosts.allow' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + else + ok "$FILE exist" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + warn "$FILE does not exist, creating it" + touch $FILE + warn "You may want to fill it with allowed networks" + else + ok "$FILE exist" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.4.3_hosts_allow_permissions.sh b/bin/hardening/7.4.3_hosts_allow_permissions.sh new file mode 100755 index 0000000..a6536ae --- /dev/null +++ b/bin/hardening/7.4.3_hosts_allow_permissions.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.4.3 Verify Permissions on /etc/hosts.allow (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/hosts.allow' +PERMISSIONS='644' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.4.4_hosts_deny.sh b/bin/hardening/7.4.4_hosts_deny.sh new file mode 100755 index 0000000..7403589 --- /dev/null +++ b/bin/hardening/7.4.4_hosts_deny.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.4.4 Create /etc/hosts.deny (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/hosts.deny' +PATTERN='ALL: ALL' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + else + ok "$FILE exist, checking configuration" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILE, we have to deny everything" + else + ok "$PATTERN present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + warn "$FILE does not exist, creating it" + touch $FILE + else + ok "$FILE exist" + fi + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILE, we have to deny everything" + add_end_of_file $FILE "$PATTERN" + warn "YOU MAY HAVE CUT YOUR ACCESS, CHECK BEFORE DISCONNECTING" + else + ok "$PATTERN present in $FILE" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.4.5_hosts_deny_permissions.sh b/bin/hardening/7.4.5_hosts_deny_permissions.sh new file mode 100755 index 0000000..50aae37 --- /dev/null +++ b/bin/hardening/7.4.5_hosts_deny_permissions.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.4.5 Verify Permissions on /etc/hosts.deny (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/hosts.deny' +PERMISSIONS='644' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.5.1_disable_dccp.sh b/bin/hardening/7.5.1_disable_dccp.sh new file mode 100755 index 0000000..b159a29 --- /dev/null +++ b/bin/hardening/7.5.1_disable_dccp.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.5.1 Disable DCCP (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Not implemented yet" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Not implemented yet" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.5.2_disable_sctp.sh b/bin/hardening/7.5.2_disable_sctp.sh new file mode 100755 index 0000000..d521282 --- /dev/null +++ b/bin/hardening/7.5.2_disable_sctp.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.5.2 Disable SCTP (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Not implemented yet" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Not implemented yet" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.5.3_disable_rds.sh b/bin/hardening/7.5.3_disable_rds.sh new file mode 100755 index 0000000..d521282 --- /dev/null +++ b/bin/hardening/7.5.3_disable_rds.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.5.2 Disable SCTP (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Not implemented yet" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Not implemented yet" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.5.4_disable_tipc.sh b/bin/hardening/7.5.4_disable_tipc.sh new file mode 100755 index 0000000..d521282 --- /dev/null +++ b/bin/hardening/7.5.4_disable_tipc.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.5.2 Disable SCTP (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Not implemented yet" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Not implemented yet" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.6_disable_wireless.sh b/bin/hardening/7.6_disable_wireless.sh new file mode 100755 index 0000000..d792361 --- /dev/null +++ b/bin/hardening/7.6_disable_wireless.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.6 Deactivate Wireless Interfaces (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Not implemented yet" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Not implemented yet" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/7.7_enable_firewall.sh b/bin/hardening/7.7_enable_firewall.sh new file mode 100755 index 0000000..22ce33c --- /dev/null +++ b/bin/hardening/7.7_enable_firewall.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 7.4.1 Install TCP Wrappers (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Quick note here : CIS recommends your iptables rules to be persistent. +# Do as you want, but this script does not handle this + +PACKAGE='iptables' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.0_install_auditd.sh b/bin/hardening/8.0_install_auditd.sh new file mode 100755 index 0000000..83af3bd --- /dev/null +++ b/bin/hardening/8.0_install_auditd.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.0 Install auditd +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Note : Not port of the CIS guide, but what's the point configuring a software not installed ? :) + +PACKAGE='auditd' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.1.1_audit_log_storage.sh b/bin/hardening/8.1.1.1_audit_log_storage.sh new file mode 100755 index 0000000..85cfc3c --- /dev/null +++ b/bin/hardening/8.1.1.1_audit_log_storage.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.1.1 Configure Audit Log Storage Size (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/audit/auditd.conf' +PATTERN='max_log_file' +VALUE=5 + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + else + ok "$FILE exist, checking configuration" + does_pattern_exists_in_file $FILE "^$PATTERN[[:space:]]" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILE, we have to deny everything" + else + ok "$PATTERN present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + warn "$FILE does not exist, creating it" + touch $FILE + else + ok "$FILE exist" + fi + does_pattern_exists_in_file $FILE "^$PATTERN[[:space:]]" + if [ $FNRET != 0 ]; then + warn "$PATTERN not present in $FILE, adding it" + add_end_of_file $FILE "$PATTERN = $VALUE" + else + ok "$PATTERN present in $FILE" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/7.4.1_install_tcp_wrapper.cfg b/etc/conf.d/7.4.1_install_tcp_wrapper.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.4.1_install_tcp_wrapper.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.4.2_hosts_allow.cfg b/etc/conf.d/7.4.2_hosts_allow.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.4.2_hosts_allow.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.4.3_hosts_allow_permissions.cfg b/etc/conf.d/7.4.3_hosts_allow_permissions.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.4.3_hosts_allow_permissions.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.4.4_hosts_deny.cfg b/etc/conf.d/7.4.4_hosts_deny.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.4.4_hosts_deny.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.4.5_hosts_deny_permissions.cfg b/etc/conf.d/7.4.5_hosts_deny_permissions.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.4.5_hosts_deny_permissions.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.5.1_disable_dccp.cfg b/etc/conf.d/7.5.1_disable_dccp.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.5.1_disable_dccp.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.5.2_disable_sctp.cfg b/etc/conf.d/7.5.2_disable_sctp.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.5.2_disable_sctp.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.6_disable_wireless.cfg b/etc/conf.d/7.6_disable_wireless.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.6_disable_wireless.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/7.7_enable_firewall.cfg b/etc/conf.d/7.7_enable_firewall.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.7_enable_firewall.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.0_install_auditd.cfg b/etc/conf.d/8.0_install_auditd.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.0_install_auditd.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.1.1_audit_log_storage.cfg b/etc/conf.d/8.1.1.1_audit_log_storage.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.1.1_audit_log_storage.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From ea6361ddb514474756ee0d6a0c3d4aaa76b6b21a Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Thu, 14 Apr 2016 10:40:31 +0200 Subject: [PATCH 36/64] 8.0_enable_auditd_kernel.sh 8.1.1.2_halt_when_audit_log_full.sh 8.1.2_enable_auditd.sh --- bin/hardening/2.25_disable_automounting.sh | 2 +- bin/hardening/7.5.3_disable_rds.sh | 2 +- bin/hardening/7.5.4_disable_tipc.sh | 2 +- bin/hardening/7.7_enable_firewall.sh | 2 +- bin/hardening/8.0_enable_auditd_kernel.sh | 59 +++++++++++++ bin/hardening/8.1.1.1_audit_log_storage.sh | 2 +- .../8.1.1.2_halt_when_audit_log_full.sh | 88 +++++++++++++++++++ ...stall_auditd.sh => 8.1.2_enable_auditd.sh} | 21 ++++- ...uditd.cfg => 8.0_enable_auditd_kernel.cfg} | 0 .../8.1.1.2_halt_when_audit_log_full.cfg | 2 + etc/conf.d/8.1.2_enable_auditd.cfg | 2 + 11 files changed, 173 insertions(+), 9 deletions(-) create mode 100755 bin/hardening/8.0_enable_auditd_kernel.sh create mode 100755 bin/hardening/8.1.1.2_halt_when_audit_log_full.sh rename bin/hardening/{8.0_install_auditd.sh => 8.1.2_enable_auditd.sh} (66%) rename etc/conf.d/{8.0_install_auditd.cfg => 8.0_enable_auditd_kernel.cfg} (100%) create mode 100644 etc/conf.d/8.1.1.2_halt_when_audit_log_full.cfg create mode 100644 etc/conf.d/8.1.2_enable_auditd.cfg diff --git a/bin/hardening/2.25_disable_automounting.sh b/bin/hardening/2.25_disable_automounting.sh index 2abd21f..7094597 100755 --- a/bin/hardening/2.25_disable_automounting.sh +++ b/bin/hardening/2.25_disable_automounting.sh @@ -31,7 +31,7 @@ apply () { is_service_enabled $SERVICE_NAME if [ $FNRET = 0 ]; then info "Disabling $SERVICE_NAME" - update-rc.d $SERVICE_NAME disable + update-rc.d $SERVICE_NAME disable > /dev/null 2>&1 else ok "$SERVICE_NAME is disabled" fi diff --git a/bin/hardening/7.5.3_disable_rds.sh b/bin/hardening/7.5.3_disable_rds.sh index d521282..061a653 100755 --- a/bin/hardening/7.5.3_disable_rds.sh +++ b/bin/hardening/7.5.3_disable_rds.sh @@ -6,7 +6,7 @@ # # -# 7.5.2 Disable SCTP (Not Scored) +# 7.5.3 Disable RDS (Not Scored) # set -e # One error, it's over diff --git a/bin/hardening/7.5.4_disable_tipc.sh b/bin/hardening/7.5.4_disable_tipc.sh index d521282..db8dc27 100755 --- a/bin/hardening/7.5.4_disable_tipc.sh +++ b/bin/hardening/7.5.4_disable_tipc.sh @@ -6,7 +6,7 @@ # # -# 7.5.2 Disable SCTP (Not Scored) +# 7.5.4 Disable TIPC (Not Scored) # set -e # One error, it's over diff --git a/bin/hardening/7.7_enable_firewall.sh b/bin/hardening/7.7_enable_firewall.sh index 22ce33c..999fb2e 100755 --- a/bin/hardening/7.7_enable_firewall.sh +++ b/bin/hardening/7.7_enable_firewall.sh @@ -6,7 +6,7 @@ # # -# 7.4.1 Install TCP Wrappers (Scored) +# 7.7 Ensure Firewall is active (Scored) # set -e # One error, it's over diff --git a/bin/hardening/8.0_enable_auditd_kernel.sh b/bin/hardening/8.0_enable_auditd_kernel.sh new file mode 100755 index 0000000..03229c6 --- /dev/null +++ b/bin/hardening/8.0_enable_auditd_kernel.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.0 Ensure CONFIG_AUDIT is enabled in your running kernel +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Note : Not part of the CIS guide, but what's the point configuring a software not compatible with your kernel ? :) + +KERNEL_OPTION="CONFIG_AUDIT" + + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_kernel_option_enabled "^$KERNEL_OPTION=" + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + ok "$KERNEL_OPTION is enabled" + else + crit "$KERNEL_OPTION is disabled, auditd will not work" + fi + : +} + +# This function will be called if the script status is on enabled mode +apply () { + is_kernel_option_enabled "^$KERNEL_OPTION=" + if [ $FNRET = 0 ]; then # 0 means true in bash, so it IS activated + ok "$KERNEL_OPTION is enabled" + else + warn "I cannot fix $KERNEL_OPTION disabled, to make auditd work, recompile your kernel please" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.1.1_audit_log_storage.sh b/bin/hardening/8.1.1.1_audit_log_storage.sh index 85cfc3c..369c4c7 100755 --- a/bin/hardening/8.1.1.1_audit_log_storage.sh +++ b/bin/hardening/8.1.1.1_audit_log_storage.sh @@ -25,7 +25,7 @@ audit () { ok "$FILE exist, checking configuration" does_pattern_exists_in_file $FILE "^$PATTERN[[:space:]]" if [ $FNRET != 0 ]; then - crit "$PATTERN not present in $FILE, we have to deny everything" + crit "$PATTERN not present in $FILE" else ok "$PATTERN present in $FILE" fi diff --git a/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh b/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh new file mode 100755 index 0000000..899fd92 --- /dev/null +++ b/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh @@ -0,0 +1,88 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.1.2 Disable System on Audit Log Full (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/audit/auditd.conf' +OPTIONS='space_left_action=email action_mail_acct=root admin_space_left_action=halt' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + else + ok "$FILE exist, checking configuration" + for AUDIT_OPTION in $OPTIONS; do + AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) + AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) + PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" + debug "$AUDIT_PARAM must have value $AUDIT_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILE" + else + ok "$PATTERN present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + warn "$FILE does not exist, creating it" + touch $FILE + else + ok "$FILE exist" + fi + for AUDIT_OPTION in $OPTIONS; do + AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) + AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) + debug "$AUDIT_PARAM must have value $AUDIT_VALUE" + PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$AUDIT_PARAM" + if [ $FNRET != 0 ]; then + info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" + add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" + else + info "Parameter $AUDIT_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE" + fi + else + ok "$PATTERN present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.0_install_auditd.sh b/bin/hardening/8.1.2_enable_auditd.sh similarity index 66% rename from bin/hardening/8.0_install_auditd.sh rename to bin/hardening/8.1.2_enable_auditd.sh index 83af3bd..02962e9 100755 --- a/bin/hardening/8.0_install_auditd.sh +++ b/bin/hardening/8.1.2_enable_auditd.sh @@ -6,15 +6,14 @@ # # -# 8.0 Install auditd +# 8.1.2 Install and Enable auditd Service (Scored) # set -e # One error, it's over set -u # One variable unset, it's over -# Note : Not port of the CIS guide, but what's the point configuring a software not installed ? :) - PACKAGE='auditd' +SERVICE_NAME='auditd' # This function will be called if the script status is on enabled / audit mode audit () { @@ -23,6 +22,12 @@ audit () { crit "$PACKAGE is not installed !" else ok "$PACKAGE is installed" + is_service_enabled $SERVICE_NAME + if [ $FNRET = 0 ]; then + ok "$SERVICE_NAME is enabled" + else + crit "$SERVICE_NAME is not enabled" + fi fi } @@ -32,9 +37,17 @@ apply () { if [ $FNRET = 0 ]; then ok "$PACKAGE is installed" else - crit "$PACKAGE is absent, installing it" + warn "$PACKAGE is absent, installing it" apt_install $PACKAGE fi + is_service_enabled $SERVICE_NAME + if [ $FNRET = 0 ]; then + ok "$SERVICE_NAME is enabled" + else + warn "$SERVICE_NAME is not enabled, enabling it" + update-rc.d $SERVICE_NAME remove > /dev/null 2>&1 + update-rc.d $SERVICE_NAME defaults > /dev/null 2>&1 + fi } # This function will check config parameters required diff --git a/etc/conf.d/8.0_install_auditd.cfg b/etc/conf.d/8.0_enable_auditd_kernel.cfg similarity index 100% rename from etc/conf.d/8.0_install_auditd.cfg rename to etc/conf.d/8.0_enable_auditd_kernel.cfg diff --git a/etc/conf.d/8.1.1.2_halt_when_audit_log_full.cfg b/etc/conf.d/8.1.1.2_halt_when_audit_log_full.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.1.2_halt_when_audit_log_full.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.2_enable_auditd.cfg b/etc/conf.d/8.1.2_enable_auditd.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.2_enable_auditd.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From 47d017908d91c3e012209b07f1f0bcb05f08a6ac Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Thu, 14 Apr 2016 13:11:56 +0200 Subject: [PATCH 37/64] 8.1.1.3_keep_all_audit_logs.sh 8.1.3_audit_bootloader.sh --- .../8.1.1.2_halt_when_audit_log_full.sh | 2 +- bin/hardening/8.1.1.3_keep_all_audit_logs.sh | 88 +++++++++++++++++++ bin/hardening/8.1.3_audit_bootloader.sh | 88 +++++++++++++++++++ etc/conf.d/8.1.1.3_keep_all_audit_logs.cfg | 2 + etc/conf.d/8.1.3_audit_bootloader.cfg | 2 + lib/utils.sh | 2 + 6 files changed, 183 insertions(+), 1 deletion(-) create mode 100755 bin/hardening/8.1.1.3_keep_all_audit_logs.sh create mode 100755 bin/hardening/8.1.3_audit_bootloader.sh create mode 100644 etc/conf.d/8.1.1.3_keep_all_audit_logs.cfg create mode 100644 etc/conf.d/8.1.3_audit_bootloader.cfg diff --git a/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh b/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh index 899fd92..df21b6f 100755 --- a/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh +++ b/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh @@ -56,7 +56,7 @@ apply () { warn "$PATTERN not present in $FILE, adding it" does_pattern_exists_in_file $FILE "^$AUDIT_PARAM" if [ $FNRET != 0 ]; then - info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" + info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" else info "Parameter $AUDIT_PARAM is present but with the wrong value, correcting" diff --git a/bin/hardening/8.1.1.3_keep_all_audit_logs.sh b/bin/hardening/8.1.1.3_keep_all_audit_logs.sh new file mode 100755 index 0000000..c83a005 --- /dev/null +++ b/bin/hardening/8.1.1.3_keep_all_audit_logs.sh @@ -0,0 +1,88 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.1.3 Keep All Auditing Information (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/audit/auditd.conf' +OPTIONS='max_log_file_action=keep_logs' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + else + ok "$FILE exist, checking configuration" + for AUDIT_OPTION in $OPTIONS; do + AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) + AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) + PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" + debug "$AUDIT_PARAM must have value $AUDIT_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILE" + else + ok "$PATTERN present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + warn "$FILE does not exist, creating it" + touch $FILE + else + ok "$FILE exist" + fi + for AUDIT_OPTION in $OPTIONS; do + AUDIT_PARAM=$(echo $AUDIT_OPTION | cut -d= -f 1) + AUDIT_VALUE=$(echo $AUDIT_OPTION | cut -d= -f 2) + debug "$AUDIT_PARAM must have value $AUDIT_VALUE" + PATTERN="^$AUDIT_PARAM[[:space:]]*=[[:space:]]*$AUDIT_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$AUDIT_PARAM" + if [ $FNRET != 0 ]; then + info "Parameter $AUDIT_PARAM seems absent from $FILE, adding at the end" + add_end_of_file $FILE "$AUDIT_PARAM = $AUDIT_VALUE" + else + info "Parameter $AUDIT_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$AUDIT_PARAM[[:space:]]*=.*" "$AUDIT_PARAM = $AUDIT_VALUE" + fi + else + ok "$PATTERN present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.3_audit_bootloader.sh b/bin/hardening/8.1.3_audit_bootloader.sh new file mode 100755 index 0000000..7a8f5e3 --- /dev/null +++ b/bin/hardening/8.1.3_audit_bootloader.sh @@ -0,0 +1,88 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.3 Enable Auditing for Processes That Start Prior to auditd (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/default/grub' +OPTIONS='GRUB_CMDLINE_LINUX="audit=1"' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + else + ok "$FILE exist, checking configuration" + for GRUB_OPTION in $OPTIONS; do + GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1) + GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3) + PATTERN="^$GRUB_PARAM=$GRUB_VALUE" + debug "$GRUB_PARAM must have value $GRUB_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILE" + else + ok "$PATTERN present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + warn "$FILE does not exist, creating it" + touch $FILE + else + ok "$FILE exist" + fi + for GRUB_OPTION in $OPTIONS; do + GRUB_PARAM=$(echo $GRUB_OPTION | cut -d= -f 1) + GRUB_VALUE=$(echo $GRUB_OPTION | cut -d= -f 2,3) + debug "$GRUB_PARAM must have value $GRUB_VALUE" + PATTERN="^$GRUB_PARAM=$GRUB_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET != 0 ]; then + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$GRUB_PARAM" + if [ $FNRET != 0 ]; then + info "Parameter $GRUB_PARAM seems absent from $FILE, adding at the end" + add_end_of_file $FILE "$GRUB_PARAM = $GRUB_VALUE" + else + info "Parameter $GRUB_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$GRUB_PARAM=.*" "$GRUB_PARAM=$GRUB_VALUE" + fi + else + ok "$PATTERN present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/8.1.1.3_keep_all_audit_logs.cfg b/etc/conf.d/8.1.1.3_keep_all_audit_logs.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.1.3_keep_all_audit_logs.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.3_audit_bootloader.cfg b/etc/conf.d/8.1.3_audit_bootloader.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.3_audit_bootloader.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/lib/utils.sh b/lib/utils.sh index 25905bd..6308adb 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -133,6 +133,7 @@ add_line_file_before_pattern() { local LINE=$2 local PATTERN=$3 + backup_file "$1" debug "Inserting $LINE before $PATTERN in $FILE" debug "sed -i '/$PATTERN/i $LINE' $FILE" sed -i "/$PATTERN/i $LINE" $FILE @@ -144,6 +145,7 @@ replace_in_file() { local SOURCE=$2 local DESTINATION=$3 + backup_file "$1" debug "Replacing $SOURCE to $DESTINATION in $FILE" debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE" sed -i "s/$SOURCE/$DESTINATION/g" $FILE From 75e072f304b4072294d9459d7fbeea03e1dad77d Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Thu, 14 Apr 2016 14:07:00 +0200 Subject: [PATCH 38/64] 8.1.4_record_date_time_edit.sh 8.1.5_record_user_group_edit.sh --- bin/hardening/8.1.4_record_date_time_edit.sh | 69 +++++++++++++++++++ bin/hardening/8.1.5_record_user_group_edit.sh | 69 +++++++++++++++++++ etc/conf.d/8.1.4_record_date_time_edit.cfg | 2 + etc/conf.d/8.1.5_record_user_group_edit.cfg | 2 + lib/utils.sh | 3 +- 5 files changed, 144 insertions(+), 1 deletion(-) create mode 100755 bin/hardening/8.1.4_record_date_time_edit.sh create mode 100755 bin/hardening/8.1.5_record_user_group_edit.sh create mode 100644 etc/conf.d/8.1.4_record_date_time_edit.cfg create mode 100644 etc/conf.d/8.1.5_record_user_group_edit.cfg diff --git a/bin/hardening/8.1.4_record_date_time_edit.sh b/bin/hardening/8.1.4_record_date_time_edit.sh new file mode 100755 index 0000000..f1ac82b --- /dev/null +++ b/bin/hardening/8.1.4_record_date_time_edit.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.4 Record Events That Modify Date and Time Information (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.5_record_user_group_edit.sh b/bin/hardening/8.1.5_record_user_group_edit.sh new file mode 100755 index 0000000..e181316 --- /dev/null +++ b/bin/hardening/8.1.5_record_user_group_edit.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.5 Record Events That Modify User/Group Information (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/8.1.4_record_date_time_edit.cfg b/etc/conf.d/8.1.4_record_date_time_edit.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.4_record_date_time_edit.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.5_record_user_group_edit.cfg b/etc/conf.d/8.1.5_record_user_group_edit.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.5_record_user_group_edit.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/lib/utils.sh b/lib/utils.sh index 6308adb..50f965d 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -111,7 +111,8 @@ does_pattern_exists_in_file() { local PATTERN=$2 debug "Checking if $PATTERN is present in $FILE" - if $(grep -qE "$PATTERN" $FILE); then + debug "grep -qE -- '$PATTERN' $FILE" + if $(grep -qE -- "$PATTERN" $FILE); then FNRET=0 else FNRET=1 From befd3acdde487ae934cda3ebbd2a79cd2146b6e9 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Thu, 14 Apr 2016 14:43:26 +0200 Subject: [PATCH 39/64] 8.1.10_record_dac_edit.sh 8.1.6_record_network_edit.sh 8.1.7_record_mac_edit.sh 8.1.8_record_login_logout.sh 8.1.9_record_session_init.sh --- bin/hardening/8.1.10_record_dac_edit.sh | 70 ++++++++++++++++++++++ bin/hardening/8.1.6_record_network_edit.sh | 70 ++++++++++++++++++++++ bin/hardening/8.1.7_record_mac_edit.sh | 65 ++++++++++++++++++++ bin/hardening/8.1.8_record_login_logout.sh | 67 +++++++++++++++++++++ bin/hardening/8.1.9_record_session_init.sh | 67 +++++++++++++++++++++ etc/conf.d/8.1.10_record_dac_edit.cfg | 2 + etc/conf.d/8.1.6_record_network_edit.cfg | 2 + etc/conf.d/8.1.7_record_mac_edit.cfg | 2 + etc/conf.d/8.1.8_record_login_logout.cfg | 2 + etc/conf.d/8.1.9_record_session_init.cfg | 2 + 10 files changed, 349 insertions(+) create mode 100755 bin/hardening/8.1.10_record_dac_edit.sh create mode 100755 bin/hardening/8.1.6_record_network_edit.sh create mode 100755 bin/hardening/8.1.7_record_mac_edit.sh create mode 100755 bin/hardening/8.1.8_record_login_logout.sh create mode 100755 bin/hardening/8.1.9_record_session_init.sh create mode 100644 etc/conf.d/8.1.10_record_dac_edit.cfg create mode 100644 etc/conf.d/8.1.6_record_network_edit.cfg create mode 100644 etc/conf.d/8.1.7_record_mac_edit.cfg create mode 100644 etc/conf.d/8.1.8_record_login_logout.cfg create mode 100644 etc/conf.d/8.1.9_record_session_init.cfg diff --git a/bin/hardening/8.1.10_record_dac_edit.sh b/bin/hardening/8.1.10_record_dac_edit.sh new file mode 100755 index 0000000..88d8fee --- /dev/null +++ b/bin/hardening/8.1.10_record_dac_edit.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.10 Collect Discretionary Access Control Permission Modification Events (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.6_record_network_edit.sh b/bin/hardening/8.1.6_record_network_edit.sh new file mode 100755 index 0000000..b6385e6 --- /dev/null +++ b/bin/hardening/8.1.6_record_network_edit.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.6 Record Events That Modify the System's Network Environment (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/network -p wa -k system-locale' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.7_record_mac_edit.sh b/bin/hardening/8.1.7_record_mac_edit.sh new file mode 100755 index 0000000..41b8e98 --- /dev/null +++ b/bin/hardening/8.1.7_record_mac_edit.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.7 Record Events That Modify the System's Mandatory Access Controls (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-w /etc/selinux/ -p wa -k MAC-policy' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.8_record_login_logout.sh b/bin/hardening/8.1.8_record_login_logout.sh new file mode 100755 index 0000000..8949f90 --- /dev/null +++ b/bin/hardening/8.1.8_record_login_logout.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.8 Collect Login and Logout Events (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.9_record_session_init.sh b/bin/hardening/8.1.9_record_session_init.sh new file mode 100755 index 0000000..c2d0474 --- /dev/null +++ b/bin/hardening/8.1.9_record_session_init.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.9 Collect Session Initiation Information (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k session +-w /var/log/btmp -p wa -k session' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/8.1.10_record_dac_edit.cfg b/etc/conf.d/8.1.10_record_dac_edit.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.10_record_dac_edit.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.6_record_network_edit.cfg b/etc/conf.d/8.1.6_record_network_edit.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.6_record_network_edit.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.7_record_mac_edit.cfg b/etc/conf.d/8.1.7_record_mac_edit.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.7_record_mac_edit.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.8_record_login_logout.cfg b/etc/conf.d/8.1.8_record_login_logout.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.8_record_login_logout.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.9_record_session_init.cfg b/etc/conf.d/8.1.9_record_session_init.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.9_record_session_init.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From 1a4dbf8dc0291305b2453f961add3273f8985030 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Thu, 14 Apr 2016 16:44:14 +0200 Subject: [PATCH 40/64] 8.1.11_record_failed_access_file.sh 8.1.12_record_privileged_commands.sh 8.1.13_record_successful_mount.sh 8.1.14_record_file_deletions.sh 8.1.15_record_sudoers_edit.sh 8.1.16_record_sudo_usage.sh 8.1.17_record_kernel_modules.sh 8.1.18_freeze_auditd_conf.sh --- .../8.1.11_record_failed_access_file.sh | 68 +++++++++++++++++++ .../8.1.12_record_privileged_commands.sh | 68 +++++++++++++++++++ .../8.1.13_record_successful_mount.sh | 66 ++++++++++++++++++ bin/hardening/8.1.14_record_file_deletions.sh | 66 ++++++++++++++++++ bin/hardening/8.1.15_record_sudoers_edit.sh | 66 ++++++++++++++++++ bin/hardening/8.1.16_record_sudo_usage.sh | 65 ++++++++++++++++++ bin/hardening/8.1.17_record_kernel_modules.sh | 68 +++++++++++++++++++ bin/hardening/8.1.18_freeze_auditd_conf.sh | 65 ++++++++++++++++++ .../8.1.11_record_failed_access_file.cfg | 2 + .../8.1.12_record_privileged_commands.cfg | 2 + etc/conf.d/8.1.13_record_successful_mount.cfg | 2 + etc/conf.d/8.1.14_record_file_deletions.cfg | 2 + etc/conf.d/8.1.15_record_sudoers_edit.cfg | 2 + etc/conf.d/8.1.16_record_sudo_usage.cfg | 2 + etc/conf.d/8.1.17_record_kernel_modules.cfg | 2 + etc/conf.d/8.1.18_freeze_auditd_conf.cfg | 2 + 16 files changed, 548 insertions(+) create mode 100755 bin/hardening/8.1.11_record_failed_access_file.sh create mode 100755 bin/hardening/8.1.12_record_privileged_commands.sh create mode 100755 bin/hardening/8.1.13_record_successful_mount.sh create mode 100755 bin/hardening/8.1.14_record_file_deletions.sh create mode 100755 bin/hardening/8.1.15_record_sudoers_edit.sh create mode 100755 bin/hardening/8.1.16_record_sudo_usage.sh create mode 100755 bin/hardening/8.1.17_record_kernel_modules.sh create mode 100755 bin/hardening/8.1.18_freeze_auditd_conf.sh create mode 100644 etc/conf.d/8.1.11_record_failed_access_file.cfg create mode 100644 etc/conf.d/8.1.12_record_privileged_commands.cfg create mode 100644 etc/conf.d/8.1.13_record_successful_mount.cfg create mode 100644 etc/conf.d/8.1.14_record_file_deletions.cfg create mode 100644 etc/conf.d/8.1.15_record_sudoers_edit.cfg create mode 100644 etc/conf.d/8.1.16_record_sudo_usage.cfg create mode 100644 etc/conf.d/8.1.17_record_kernel_modules.cfg create mode 100644 etc/conf.d/8.1.18_freeze_auditd_conf.cfg diff --git a/bin/hardening/8.1.11_record_failed_access_file.sh b/bin/hardening/8.1.11_record_failed_access_file.sh new file mode 100755 index 0000000..1069c0c --- /dev/null +++ b/bin/hardening/8.1.11_record_failed_access_file.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.11 Collect Unsuccessful Unauthorized Access Attempts to Files (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.12_record_privileged_commands.sh b/bin/hardening/8.1.12_record_privileged_commands.sh new file mode 100755 index 0000000..1b38815 --- /dev/null +++ b/bin/hardening/8.1.12_record_privileged_commands.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.12 Collect Use of Privileged Commands (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# Find all files with setuid or setgid set +AUDIT_PARAMS=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print \ +"-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \ +-k privileged" }') +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.13_record_successful_mount.sh b/bin/hardening/8.1.13_record_successful_mount.sh new file mode 100755 index 0000000..9a23678 --- /dev/null +++ b/bin/hardening/8.1.13_record_successful_mount.sh @@ -0,0 +1,66 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.13 Collect Successful File System Mounts (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.14_record_file_deletions.sh b/bin/hardening/8.1.14_record_file_deletions.sh new file mode 100755 index 0000000..ba4e0a4 --- /dev/null +++ b/bin/hardening/8.1.14_record_file_deletions.sh @@ -0,0 +1,66 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.14 Collect File Deletion Events by User (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.15_record_sudoers_edit.sh b/bin/hardening/8.1.15_record_sudoers_edit.sh new file mode 100755 index 0000000..4701849 --- /dev/null +++ b/bin/hardening/8.1.15_record_sudoers_edit.sh @@ -0,0 +1,66 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.15 Collect Changes to System Administration Scope (sudoers) (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-w /etc/sudoers -p wa -k sudoers +-w /etc/sudoers.d/ -p wa -k sudoers' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.16_record_sudo_usage.sh b/bin/hardening/8.1.16_record_sudo_usage.sh new file mode 100755 index 0000000..021d08b --- /dev/null +++ b/bin/hardening/8.1.16_record_sudo_usage.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.16 Collect System Administrator Actions (sudolog) (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-w /var/log/auth.log -p wa -k sudoaction' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.17_record_kernel_modules.sh b/bin/hardening/8.1.17_record_kernel_modules.sh new file mode 100755 index 0000000..06128d8 --- /dev/null +++ b/bin/hardening/8.1.17_record_kernel_modules.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.17 Collect Kernel Module Loading and Unloading (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.1.18_freeze_auditd_conf.sh b/bin/hardening/8.1.18_freeze_auditd_conf.sh new file mode 100755 index 0000000..f1d6a0c --- /dev/null +++ b/bin/hardening/8.1.18_freeze_auditd_conf.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.1.17 Collect Kernel Module Loading and Unloading (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +AUDIT_PARAMS='-e 2' +FILE='/etc/audit/audit.rules' + +# This function will be called if the script status is on enabled / audit mode +audit () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + debug "$AUDIT_VALUE must be in file $FILE" + does_pattern_exists_in_file $FILE $AUDIT_VALUE + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + eval $(pkill -HUP -P 1 auditd) + else + ok "$AUDIT_VALUE present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/8.1.11_record_failed_access_file.cfg b/etc/conf.d/8.1.11_record_failed_access_file.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.11_record_failed_access_file.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.12_record_privileged_commands.cfg b/etc/conf.d/8.1.12_record_privileged_commands.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.12_record_privileged_commands.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.13_record_successful_mount.cfg b/etc/conf.d/8.1.13_record_successful_mount.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.13_record_successful_mount.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.14_record_file_deletions.cfg b/etc/conf.d/8.1.14_record_file_deletions.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.14_record_file_deletions.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.15_record_sudoers_edit.cfg b/etc/conf.d/8.1.15_record_sudoers_edit.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.15_record_sudoers_edit.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.16_record_sudo_usage.cfg b/etc/conf.d/8.1.16_record_sudo_usage.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.16_record_sudo_usage.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.17_record_kernel_modules.cfg b/etc/conf.d/8.1.17_record_kernel_modules.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.17_record_kernel_modules.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.1.18_freeze_auditd_conf.cfg b/etc/conf.d/8.1.18_freeze_auditd_conf.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.1.18_freeze_auditd_conf.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From 45dcda440236bbf7b8dfbe7bebe29b1cc64e5aa9 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Thu, 14 Apr 2016 17:55:14 +0200 Subject: [PATCH 41/64] 8.2.1_install_syslog-ng.sh 8.2.2_enable_syslog-ng.sh 8.2.3_configure_syslog-ng.sh 8.2.4_set_logfile_perm.sh --- bin/hardening/2.25_disable_automounting.sh | 2 +- bin/hardening/3.2_bootloader_permissions.sh | 1 - bin/hardening/8.2.1_install_syslog-ng.sh | 56 +++++++++++++ bin/hardening/8.2.2_enable_syslog-ng.sh | 58 ++++++++++++++ bin/hardening/8.2.3_configure_syslog-ng.sh | 46 +++++++++++ bin/hardening/8.2.4_set_logfile_perm.sh | 89 +++++++++++++++++++++ etc/conf.d/8.2.1_install_syslog-ng.cfg | 2 + etc/conf.d/8.2.2_enable_syslog-ng.cfg | 2 + etc/conf.d/8.2.3_configure_syslog-ng.cfg | 2 + etc/conf.d/8.2.4_set_logfile_perm.cfg | 2 + lib/utils.sh | 6 +- 11 files changed, 261 insertions(+), 5 deletions(-) create mode 100755 bin/hardening/8.2.1_install_syslog-ng.sh create mode 100755 bin/hardening/8.2.2_enable_syslog-ng.sh create mode 100755 bin/hardening/8.2.3_configure_syslog-ng.sh create mode 100755 bin/hardening/8.2.4_set_logfile_perm.sh create mode 100644 etc/conf.d/8.2.1_install_syslog-ng.cfg create mode 100644 etc/conf.d/8.2.2_enable_syslog-ng.cfg create mode 100644 etc/conf.d/8.2.3_configure_syslog-ng.cfg create mode 100644 etc/conf.d/8.2.4_set_logfile_perm.cfg diff --git a/bin/hardening/2.25_disable_automounting.sh b/bin/hardening/2.25_disable_automounting.sh index 7094597..7b72cbb 100755 --- a/bin/hardening/2.25_disable_automounting.sh +++ b/bin/hardening/2.25_disable_automounting.sh @@ -31,7 +31,7 @@ apply () { is_service_enabled $SERVICE_NAME if [ $FNRET = 0 ]; then info "Disabling $SERVICE_NAME" - update-rc.d $SERVICE_NAME disable > /dev/null 2>&1 + update-rc.d $SERVICE_NAME remove > /dev/null 2>&1 else ok "$SERVICE_NAME is disabled" fi diff --git a/bin/hardening/3.2_bootloader_permissions.sh b/bin/hardening/3.2_bootloader_permissions.sh index 2967579..faba57c 100755 --- a/bin/hardening/3.2_bootloader_permissions.sh +++ b/bin/hardening/3.2_bootloader_permissions.sh @@ -40,7 +40,6 @@ apply () { # This function will check config parameters required check_config() { - is_pkg_installed "grub-pc" if [ $FNRET != 0 ]; then warn "grub-pc is not installed, not handling configuration" diff --git a/bin/hardening/8.2.1_install_syslog-ng.sh b/bin/hardening/8.2.1_install_syslog-ng.sh new file mode 100755 index 0000000..572f274 --- /dev/null +++ b/bin/hardening/8.2.1_install_syslog-ng.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.2.1 Install the syslog-ng package (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# NB : in CIS, rsyslog has been chosen, however we chose syslog-ng +PACKAGE='syslog-ng' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.2.2_enable_syslog-ng.sh b/bin/hardening/8.2.2_enable_syslog-ng.sh new file mode 100755 index 0000000..548d576 --- /dev/null +++ b/bin/hardening/8.2.2_enable_syslog-ng.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.2.2 Ensure the syslog-ng Service is activated (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SERVICE_NAME="syslog-ng" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if $SERVICE_NAME is enabled" + is_service_enabled $SERVICE_NAME + if [ $FNRET = 0 ]; then + ok "$SERVICE_NAME is enabled" + else + crit "$SERVICE_NAME is disabled" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Checking if $SERVICE_NAME is enabled" + is_service_enabled $SERVICE_NAME + if [ $FNRET != 0 ]; then + info "Enabling $SERVICE_NAME" + update-rc.d $SERVICE_NAME remove > /dev/null 2>&1 + update-rc.d $SERVICE_NAME defaults > /dev/null 2>&1 + else + ok "$SERVICE_NAME is enabled" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.2.3_configure_syslog-ng.sh b/bin/hardening/8.2.3_configure_syslog-ng.sh new file mode 100755 index 0000000..423e0e2 --- /dev/null +++ b/bin/hardening/8.2.3_configure_syslog-ng.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.2.3 Configure /etc/syslog-ng/syslog-ng.conf (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SERVICE_NAME="syslog-ng" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Ensure default and local facilities are preserved on the system" + info "No measure here, please review the file by yourself" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Ensure default and local facilities are preserved on the system" + info "No measure here, please review the file by yourself" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.2.4_set_logfile_perm.sh b/bin/hardening/8.2.4_set_logfile_perm.sh new file mode 100755 index 0000000..bf2f72b --- /dev/null +++ b/bin/hardening/8.2.4_set_logfile_perm.sh @@ -0,0 +1,89 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.2.4 Create and Set Permissions on rsyslog Log Files (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILES=$(grep "file(" /etc/syslog-ng/syslog-ng.conf | grep '"' | cut -d'"' -f 2) +PERMISSIONS='640' +USER='root' +GROUP='adm' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for FILE in $FILES; do + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for FILE in $FILES; do + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi + done +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/8.2.1_install_syslog-ng.cfg b/etc/conf.d/8.2.1_install_syslog-ng.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.2.1_install_syslog-ng.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.2.2_enable_syslog-ng.cfg b/etc/conf.d/8.2.2_enable_syslog-ng.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.2.2_enable_syslog-ng.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.2.3_configure_syslog-ng.cfg b/etc/conf.d/8.2.3_configure_syslog-ng.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.2.3_configure_syslog-ng.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.2.4_set_logfile_perm.cfg b/etc/conf.d/8.2.4_set_logfile_perm.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.2.4_set_logfile_perm.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/lib/utils.sh b/lib/utils.sh index 50f965d..bdad3dd 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -86,9 +86,9 @@ has_file_correct_ownership() { local USER=$2 local GROUP=$3 local USERID=$(id -u $USER) - local GROUPID=$(id -u $GROUP) - - if [ "$(stat -c "%u %g" $1)" = "$USERID $GROUPID" ]; then + local GROUPID=$(getent group $GROUP | cut -d: -f3) + debug "stat -c '%u %g' $FILE" + if [ "$(stat -c "%u %g" $FILE)" = "$USERID $GROUPID" ]; then FNRET=0 else FNRET=1 From 586d6823fa5341b55f00597db0d14d1e0226ecad Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Thu, 14 Apr 2016 22:47:34 +0200 Subject: [PATCH 42/64] 8.2.5_syslog-ng_remote_host.sh 8.2.6_remote_syslog-ng_acl.sh 8.3.1_install_tripwire.sh --- bin/hardening/8.2.4_set_logfile_perm.sh | 2 +- bin/hardening/8.2.5_syslog-ng_remote_host.sh | 57 ++++++++++++++++++++ bin/hardening/8.2.6_remote_syslog-ng_acl.sh | 42 +++++++++++++++ bin/hardening/8.3.1_install_tripwire.sh | 57 ++++++++++++++++++++ bin/postinstall/tripwire.sh | 20 +++++++ etc/conf.d/8.2.4_set_logfile_perm.cfg | 1 + etc/conf.d/8.2.5_syslog-ng_remote_host.cfg | 2 + etc/conf.d/8.2.6_remote_syslog-ng_acl.cfg | 2 + etc/conf.d/8.3.1_install_tripwire.cfg | 2 + lib/utils.sh | 11 ---- 10 files changed, 184 insertions(+), 12 deletions(-) create mode 100755 bin/hardening/8.2.5_syslog-ng_remote_host.sh create mode 100755 bin/hardening/8.2.6_remote_syslog-ng_acl.sh create mode 100755 bin/hardening/8.3.1_install_tripwire.sh create mode 100755 bin/postinstall/tripwire.sh create mode 100644 etc/conf.d/8.2.5_syslog-ng_remote_host.cfg create mode 100644 etc/conf.d/8.2.6_remote_syslog-ng_acl.cfg create mode 100644 etc/conf.d/8.3.1_install_tripwire.cfg diff --git a/bin/hardening/8.2.4_set_logfile_perm.sh b/bin/hardening/8.2.4_set_logfile_perm.sh index bf2f72b..f2efcf5 100755 --- a/bin/hardening/8.2.4_set_logfile_perm.sh +++ b/bin/hardening/8.2.4_set_logfile_perm.sh @@ -12,13 +12,13 @@ set -e # One error, it's over set -u # One variable unset, it's over -FILES=$(grep "file(" /etc/syslog-ng/syslog-ng.conf | grep '"' | cut -d'"' -f 2) PERMISSIONS='640' USER='root' GROUP='adm' # This function will be called if the script status is on enabled / audit mode audit () { + FILES=$(grep "file(" $SYSLOG_BASEDIR/syslog-ng.conf | grep '"' | cut -d'"' -f 2) for FILE in $FILES; do has_file_correct_ownership $FILE $USER $GROUP if [ $FNRET = 0 ]; then diff --git a/bin/hardening/8.2.5_syslog-ng_remote_host.sh b/bin/hardening/8.2.5_syslog-ng_remote_host.sh new file mode 100755 index 0000000..5937650 --- /dev/null +++ b/bin/hardening/8.2.5_syslog-ng_remote_host.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.2.5 Configure rsyslog to Send Logs to a Remote Log Host (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +#destination d_httpd_error { tcp("10.1.0.31" log_fifo_size(100000000) template("<187>$MSGHDR$MSG\n") template_escape(no)); }; + +PATTERN='^destination.*(tcp|udp)[[:space:]]*\([[:space:]]*\".*\"[[:space:]]*\)' +FILES='/etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/conf.d/*' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_file "$FILES" "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILES" + else + ok "$PATTERN present in $FILES" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exists_in_file "$FILES" "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILES, please set a remote host to send your logs" + else + ok "$PATTERN present in $FILES" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.2.6_remote_syslog-ng_acl.sh b/bin/hardening/8.2.6_remote_syslog-ng_acl.sh new file mode 100755 index 0000000..c307c73 --- /dev/null +++ b/bin/hardening/8.2.6_remote_syslog-ng_acl.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.2.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Not implemented yet" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Not implemented yet" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/8.3.1_install_tripwire.sh b/bin/hardening/8.3.1_install_tripwire.sh new file mode 100755 index 0000000..fddce71 --- /dev/null +++ b/bin/hardening/8.3.1_install_tripwire.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.2.1 Install the syslog-ng package (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# NB : in CIS, AIDE has been chosen, however we chose tripwire +PACKAGE='tripwire' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + info "Tripwire is now installed but not fully functionnal, please see readme to go further" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/postinstall/tripwire.sh b/bin/postinstall/tripwire.sh new file mode 100755 index 0000000..bb043e7 --- /dev/null +++ b/bin/postinstall/tripwire.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# + +# If you followed this CIS hardenning, this script follows 8.3.1_install_tripwire.sh +# After installing tripwire, you may want to run those few commented commands to make it fully functionnal + +echo "Generating Site key file..." +twadmin -m G -S /etc/tripwire/site.key # Generates Site key file +echo "Generating Local key file..." +twadmin -m G -S /etc/tripwire/$(hostname -f)-local.key # Generate local key file +echo "Generating encrypted policy..." +twadmin -m P /etc/tripwire/twpol.txt # Apply new policy with generated site key file +echo "Generating Local database with newly created key..." +/usr/sbin/twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt # Init database with generated local key file +echo "Testing tripwire database update" +tripwire -m i # Test configuration update +~ diff --git a/etc/conf.d/8.2.4_set_logfile_perm.cfg b/etc/conf.d/8.2.4_set_logfile_perm.cfg index e1e4502..83a0977 100644 --- a/etc/conf.d/8.2.4_set_logfile_perm.cfg +++ b/etc/conf.d/8.2.4_set_logfile_perm.cfg @@ -1,2 +1,3 @@ # Configuration for script of same name status=enabled +SYSLOG_BASEDIR='/etc/syslog-ng' diff --git a/etc/conf.d/8.2.5_syslog-ng_remote_host.cfg b/etc/conf.d/8.2.5_syslog-ng_remote_host.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.2.5_syslog-ng_remote_host.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.2.6_remote_syslog-ng_acl.cfg b/etc/conf.d/8.2.6_remote_syslog-ng_acl.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.2.6_remote_syslog-ng_acl.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/8.3.1_install_tripwire.cfg b/etc/conf.d/8.3.1_install_tripwire.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.3.1_install_tripwire.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/lib/utils.sh b/lib/utils.sh index bdad3dd..384a15f 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -44,17 +44,6 @@ set_sysctl_param() { fi } -# -# Network -# - -is_ipv6_disabled_by_bootloader() { - #if - # - : -} - - # # Dmesg # From f4927c2ebb09040b3acfcba9c761096cf72d4e2b Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Thu, 14 Apr 2016 23:05:58 +0200 Subject: [PATCH 43/64] 8.3.2_tripwire_cron.sh --- bin/hardening/8.2.5_syslog-ng_remote_host.sh | 5 +- bin/hardening/8.3.2_tripwire_cron.sh | 56 ++++++++++++++++++++ etc/conf.d/8.2.5_syslog-ng_remote_host.cfg | 1 + etc/conf.d/8.3.2_tripwire_cron.cfg | 2 + 4 files changed, 61 insertions(+), 3 deletions(-) create mode 100755 bin/hardening/8.3.2_tripwire_cron.sh create mode 100644 etc/conf.d/8.3.2_tripwire_cron.cfg diff --git a/bin/hardening/8.2.5_syslog-ng_remote_host.sh b/bin/hardening/8.2.5_syslog-ng_remote_host.sh index 5937650..50e1729 100755 --- a/bin/hardening/8.2.5_syslog-ng_remote_host.sh +++ b/bin/hardening/8.2.5_syslog-ng_remote_host.sh @@ -12,13 +12,11 @@ set -e # One error, it's over set -u # One variable unset, it's over -#destination d_httpd_error { tcp("10.1.0.31" log_fifo_size(100000000) template("<187>$MSGHDR$MSG\n") template_escape(no)); }; - PATTERN='^destination.*(tcp|udp)[[:space:]]*\([[:space:]]*\".*\"[[:space:]]*\)' -FILES='/etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/conf.d/*' # This function will be called if the script status is on enabled / audit mode audit () { + FILES="$SYSLOG_BASEDIR/syslog-ng.conf $SYSLOG_BASEDIR/conf.d/*" does_pattern_exists_in_file "$FILES" "$PATTERN" if [ $FNRET != 0 ]; then crit "$PATTERN not present in $FILES" @@ -29,6 +27,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { + FILES="$SYSLOG_BASEDIR/syslog-ng.conf $SYSLOG_BASEDIR/conf.d/*" does_pattern_exists_in_file "$FILES" "$PATTERN" if [ $FNRET != 0 ]; then crit "$PATTERN not present in $FILES, please set a remote host to send your logs" diff --git a/bin/hardening/8.3.2_tripwire_cron.sh b/bin/hardening/8.3.2_tripwire_cron.sh new file mode 100755 index 0000000..b6758a9 --- /dev/null +++ b/bin/hardening/8.3.2_tripwire_cron.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.3.2 Implement Periodic Execution of File Integrity (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILES='/etc/crontab /etc/cron.d/*' +PATTERN='tripwire --check' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_file "$FILES" "$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILES" + else + ok "$PATTERN present in $FILES" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exists_in_file "$FILES" "$PATTERN" + if [ $FNRET != 0 ]; then + warn "$PATTERN not present in $FILES, setting tripwire cron" + echo "0 10 * * * root /usr/sbin/tripwire --check > /dev/shm/tripwire_check 2>&1 " > /etc/cron.d/CIS_8.3.2_tripwire + else + ok "$PATTERN present in $FILES" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/8.2.5_syslog-ng_remote_host.cfg b/etc/conf.d/8.2.5_syslog-ng_remote_host.cfg index e1e4502..83a0977 100644 --- a/etc/conf.d/8.2.5_syslog-ng_remote_host.cfg +++ b/etc/conf.d/8.2.5_syslog-ng_remote_host.cfg @@ -1,2 +1,3 @@ # Configuration for script of same name status=enabled +SYSLOG_BASEDIR='/etc/syslog-ng' diff --git a/etc/conf.d/8.3.2_tripwire_cron.cfg b/etc/conf.d/8.3.2_tripwire_cron.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.3.2_tripwire_cron.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From c8b01f7a23650fb9f7448b4b48923f20569cddcf Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Thu, 14 Apr 2016 23:08:52 +0200 Subject: [PATCH 44/64] 8.4_conifgure_logrotate.sh --- bin/hardening/8.4_conifgure_logrotate.sh | 46 ++++++++++++++++++++++++ etc/conf.d/8.4_conifgure_logrotate.cfg | 2 ++ 2 files changed, 48 insertions(+) create mode 100755 bin/hardening/8.4_conifgure_logrotate.sh create mode 100644 etc/conf.d/8.4_conifgure_logrotate.cfg diff --git a/bin/hardening/8.4_conifgure_logrotate.sh b/bin/hardening/8.4_conifgure_logrotate.sh new file mode 100755 index 0000000..88ad028 --- /dev/null +++ b/bin/hardening/8.4_conifgure_logrotate.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 8.4 Configure logrotate (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SERVICE_NAME="syslog-ng" + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Ensure logs are properly rotated (especially syslog-ng)" + info "No measure here, please review the files by yourself" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Ensure logs are properly rotated (especially syslog-ng)" + info "No measure here, please review the file by yourself" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/8.4_conifgure_logrotate.cfg b/etc/conf.d/8.4_conifgure_logrotate.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/8.4_conifgure_logrotate.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From 6c9b2bbdd3305e07c1579a5a62158d605a9135b3 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Thu, 14 Apr 2016 23:11:09 +0200 Subject: [PATCH 45/64] 8.4_configure_logrotate.sh --- .../{8.4_conifgure_logrotate.sh => 8.4_configure_logrotate.sh} | 0 .../{8.4_conifgure_logrotate.cfg => 8.4_configure_logrotate.cfg} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename bin/hardening/{8.4_conifgure_logrotate.sh => 8.4_configure_logrotate.sh} (100%) rename etc/conf.d/{8.4_conifgure_logrotate.cfg => 8.4_configure_logrotate.cfg} (100%) diff --git a/bin/hardening/8.4_conifgure_logrotate.sh b/bin/hardening/8.4_configure_logrotate.sh similarity index 100% rename from bin/hardening/8.4_conifgure_logrotate.sh rename to bin/hardening/8.4_configure_logrotate.sh diff --git a/etc/conf.d/8.4_conifgure_logrotate.cfg b/etc/conf.d/8.4_configure_logrotate.cfg similarity index 100% rename from etc/conf.d/8.4_conifgure_logrotate.cfg rename to etc/conf.d/8.4_configure_logrotate.cfg From 9007ffdad166a7a0fb862d536949cda72e4020ff Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Thu, 14 Apr 2016 23:26:37 +0200 Subject: [PATCH 46/64] 9.1.1_enable_cron.sh 9.1.2_crontab_perm_ownership.sh --- bin/hardening/9.1.1_enable_cron.sh | 70 +++++++++++++++ bin/hardening/9.1.2_crontab_perm_ownership.sh | 85 +++++++++++++++++++ etc/conf.d/9.1.1_enable_cron.cfg | 2 + etc/conf.d/9.1.2_crontab_perm_ownership.cfg | 2 + 4 files changed, 159 insertions(+) create mode 100755 bin/hardening/9.1.1_enable_cron.sh create mode 100755 bin/hardening/9.1.2_crontab_perm_ownership.sh create mode 100644 etc/conf.d/9.1.1_enable_cron.cfg create mode 100644 etc/conf.d/9.1.2_crontab_perm_ownership.cfg diff --git a/bin/hardening/9.1.1_enable_cron.sh b/bin/hardening/9.1.1_enable_cron.sh new file mode 100755 index 0000000..33eb86d --- /dev/null +++ b/bin/hardening/9.1.1_enable_cron.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.1.1 Enable cron Daemon (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE="cron" +SERVICE_NAME="cron" + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + is_service_enabled $SERVICE_NAME + if [ $FNRET = 0 ]; then + ok "$SERVICE_NAME is enabled" + else + crit "$SERVICE_NAME is disabled" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + is_service_enabled $SERVICE_NAME + if [ $FNRET != 0 ]; then + info "Enabling $SERVICE_NAME" + update-rc.d $SERVICE_NAME remove > /dev/null 2>&1 + update-rc.d $SERVICE_NAME defaults > /dev/null 2>&1 + else + ok "$SERVICE_NAME is enabled" + fi + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.1.2_crontab_perm_ownership.sh b/bin/hardening/9.1.2_crontab_perm_ownership.sh new file mode 100755 index 0000000..e378b56 --- /dev/null +++ b/bin/hardening/9.1.2_crontab_perm_ownership.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.1.2 Set User/Group Owner and Permission on /etc/crontab (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/crontab' +PERMISSIONS='600' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/9.1.1_enable_cron.cfg b/etc/conf.d/9.1.1_enable_cron.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.1.1_enable_cron.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.1.2_crontab_perm_ownership.cfg b/etc/conf.d/9.1.2_crontab_perm_ownership.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.1.2_crontab_perm_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From 682d94bf9c7af518f6d077708ae6655239e1c135 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Fri, 15 Apr 2016 10:18:23 +0200 Subject: [PATCH 47/64] 9.1.3_cron_hourly_perm_ownership.sh 9.1.4_cron_daily_perm_ownership.sh 9.1.5_cron_weekly_perm_ownership.sh 9.1.6_cron_monthly_perm_ownership.sh 9.1.7_cron_d_perm_ownership.sh 9.1.8_cron_users.sh --- bin/hardening/2.18_disable_cramfs.sh | 2 +- bin/hardening/2.19_disable_freevxfs.sh | 2 +- bin/hardening/2.20_disable_jffs2.sh | 2 +- bin/hardening/2.21_disable_hfs.sh | 2 +- bin/hardening/2.22_disable_hfsplus.sh | 2 +- bin/hardening/2.23_disable_squashfs.sh | 2 +- bin/hardening/2.24_disable_udf.sh | 2 +- bin/hardening/8.1.18_freeze_auditd_conf.sh | 2 +- bin/hardening/8.3.1_install_tripwire.sh | 2 +- .../9.1.3_cron_hourly_perm_ownership.sh | 85 +++++++++++++ .../9.1.4_cron_daily_perm_ownership.sh | 85 +++++++++++++ .../9.1.5_cron_weekly_perm_ownership.sh | 85 +++++++++++++ .../9.1.6_cron_monthly_perm_ownership.sh | 85 +++++++++++++ bin/hardening/9.1.7_cron_d_perm_ownership.sh | 85 +++++++++++++ bin/hardening/9.1.8_cron_users.sh | 112 ++++++++++++++++++ .../9.1.3_cron_hourly_perm_ownership.cfg | 2 + .../9.1.4_cron_daily_perm_ownership.cfg | 2 + .../9.1.5_cron_weekly_perm_ownership.cfg | 2 + .../9.1.6_cron_monthly_perm_ownership.cfg | 2 + etc/conf.d/9.1.7_cron_d_perm_ownership.cfg | 2 + etc/conf.d/9.1.8_cron_users.cfg | 2 + 21 files changed, 558 insertions(+), 9 deletions(-) create mode 100755 bin/hardening/9.1.3_cron_hourly_perm_ownership.sh create mode 100755 bin/hardening/9.1.4_cron_daily_perm_ownership.sh create mode 100755 bin/hardening/9.1.5_cron_weekly_perm_ownership.sh create mode 100755 bin/hardening/9.1.6_cron_monthly_perm_ownership.sh create mode 100755 bin/hardening/9.1.7_cron_d_perm_ownership.sh create mode 100755 bin/hardening/9.1.8_cron_users.sh create mode 100644 etc/conf.d/9.1.3_cron_hourly_perm_ownership.cfg create mode 100644 etc/conf.d/9.1.4_cron_daily_perm_ownership.cfg create mode 100644 etc/conf.d/9.1.5_cron_weekly_perm_ownership.cfg create mode 100644 etc/conf.d/9.1.6_cron_monthly_perm_ownership.cfg create mode 100644 etc/conf.d/9.1.7_cron_d_perm_ownership.cfg create mode 100644 etc/conf.d/9.1.8_cron_users.cfg diff --git a/bin/hardening/2.18_disable_cramfs.sh b/bin/hardening/2.18_disable_cramfs.sh index c937dd8..2fa2d47 100755 --- a/bin/hardening/2.18_disable_cramfs.sh +++ b/bin/hardening/2.18_disable_cramfs.sh @@ -12,7 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over -# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz +# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz KERNEL_OPTION="cramfs" diff --git a/bin/hardening/2.19_disable_freevxfs.sh b/bin/hardening/2.19_disable_freevxfs.sh index a662581..e8e8429 100755 --- a/bin/hardening/2.19_disable_freevxfs.sh +++ b/bin/hardening/2.19_disable_freevxfs.sh @@ -12,7 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over -# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz +# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz KERNEL_OPTION="freevxfs" diff --git a/bin/hardening/2.20_disable_jffs2.sh b/bin/hardening/2.20_disable_jffs2.sh index 128ed16..a567953 100755 --- a/bin/hardening/2.20_disable_jffs2.sh +++ b/bin/hardening/2.20_disable_jffs2.sh @@ -12,7 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over -# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz +# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz KERNEL_OPTION="jffs2" diff --git a/bin/hardening/2.21_disable_hfs.sh b/bin/hardening/2.21_disable_hfs.sh index dc1c1d3..2f482e3 100755 --- a/bin/hardening/2.21_disable_hfs.sh +++ b/bin/hardening/2.21_disable_hfs.sh @@ -12,7 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over -# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz +# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz KERNEL_OPTION="hfs" diff --git a/bin/hardening/2.22_disable_hfsplus.sh b/bin/hardening/2.22_disable_hfsplus.sh index 3daea0d..98d0d6e 100755 --- a/bin/hardening/2.22_disable_hfsplus.sh +++ b/bin/hardening/2.22_disable_hfsplus.sh @@ -12,7 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over -# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz +# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz KERNEL_OPTION="hfsplus" diff --git a/bin/hardening/2.23_disable_squashfs.sh b/bin/hardening/2.23_disable_squashfs.sh index 5b0f089..08c7fb9 100755 --- a/bin/hardening/2.23_disable_squashfs.sh +++ b/bin/hardening/2.23_disable_squashfs.sh @@ -12,7 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over -# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz +# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz KERNEL_OPTION="squashfs" diff --git a/bin/hardening/2.24_disable_udf.sh b/bin/hardening/2.24_disable_udf.sh index e102bdc..e49ecb1 100755 --- a/bin/hardening/2.24_disable_udf.sh +++ b/bin/hardening/2.24_disable_udf.sh @@ -12,7 +12,7 @@ set -e # One error, it's over set -u # One variable unset, it's over -# Assumption made : yu have a monolothic kernel with your config zipped in /proc/config.gz +# Assumption made : You have a monolothic kernel with your config zipped in /proc/config.gz KERNEL_OPTION="udf" diff --git a/bin/hardening/8.1.18_freeze_auditd_conf.sh b/bin/hardening/8.1.18_freeze_auditd_conf.sh index f1d6a0c..0b20cbc 100755 --- a/bin/hardening/8.1.18_freeze_auditd_conf.sh +++ b/bin/hardening/8.1.18_freeze_auditd_conf.sh @@ -6,7 +6,7 @@ # # -# 8.1.17 Collect Kernel Module Loading and Unloading (Scored) +# 8.1.18 Make the Audit Configuration Immutable (Scored) # set -e # One error, it's over diff --git a/bin/hardening/8.3.1_install_tripwire.sh b/bin/hardening/8.3.1_install_tripwire.sh index fddce71..d3ec4d6 100755 --- a/bin/hardening/8.3.1_install_tripwire.sh +++ b/bin/hardening/8.3.1_install_tripwire.sh @@ -6,7 +6,7 @@ # # -# 8.2.1 Install the syslog-ng package (Scored) +# 8.3.1 Install tripwire package (Scored) # set -e # One error, it's over diff --git a/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh b/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh new file mode 100755 index 0000000..49d1c6b --- /dev/null +++ b/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.1.3 Set User/Group Owner and Permission on /etc/cron.hourly (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/cron.hourly' +PERMISSIONS='700' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.1.4_cron_daily_perm_ownership.sh b/bin/hardening/9.1.4_cron_daily_perm_ownership.sh new file mode 100755 index 0000000..75f43cf --- /dev/null +++ b/bin/hardening/9.1.4_cron_daily_perm_ownership.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.1.4 Set User/Group Owner and Permission on /etc/cron.daily (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/cron.daily' +PERMISSIONS='700' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh b/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh new file mode 100755 index 0000000..cb03ec0 --- /dev/null +++ b/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.1.5 Set User/Group Owner and Permission on /etc/cron.weekly (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/cron.weekly' +PERMISSIONS='700' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh b/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh new file mode 100755 index 0000000..9b531fd --- /dev/null +++ b/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.1.6 Set User/Group Owner and Permission on /etc/cron.monthly (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/cron.monthly' +PERMISSIONS='700' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.1.7_cron_d_perm_ownership.sh b/bin/hardening/9.1.7_cron_d_perm_ownership.sh new file mode 100755 index 0000000..4ce1da7 --- /dev/null +++ b/bin/hardening/9.1.7_cron_d_perm_ownership.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.1.2 Set User/Group Owner and Permission on /etc/crontab (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/cron.d' +PERMISSIONS='700' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.1.8_cron_users.sh b/bin/hardening/9.1.8_cron_users.sh new file mode 100755 index 0000000..ed15ed0 --- /dev/null +++ b/bin/hardening/9.1.8_cron_users.sh @@ -0,0 +1,112 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.1.8 Restrict at/cron to Authorized Users (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILES_ABSENT='/etc/cron.deny /etc/at.deny' +FILES_PRESENT='/etc/cron.allow /etc/at.allow' +PERMISSIONS='600' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for FILE in $FILES_ABSENT; do + does_file_exist $FILE + if [ $FNRET = 0 ]; then + crit "$FILE exists" + else + ok "$FILE is absent" + fi + done + for FILE in $FILES_PRESENT; do + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE is absent" + else + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for FILE in $FILES_ABSENT; do + does_file_exist $FILE + if [ $FNRET = 0 ]; then + warn "$FILE exists" + rm $FILE + else + ok "$FILE is absent" + fi + done + for FILE in $FILES_PRESENT; do + does_file_exist $FILE + if [ $FNRET != 0 ]; then + warn "$FILE is absent" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + warn "$FILE has not $PERMISSIONS permissions set" + chmod 0$PERMISSIONS $FILE + fi + done +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/9.1.3_cron_hourly_perm_ownership.cfg b/etc/conf.d/9.1.3_cron_hourly_perm_ownership.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.1.3_cron_hourly_perm_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.1.4_cron_daily_perm_ownership.cfg b/etc/conf.d/9.1.4_cron_daily_perm_ownership.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.1.4_cron_daily_perm_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.1.5_cron_weekly_perm_ownership.cfg b/etc/conf.d/9.1.5_cron_weekly_perm_ownership.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.1.5_cron_weekly_perm_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.1.6_cron_monthly_perm_ownership.cfg b/etc/conf.d/9.1.6_cron_monthly_perm_ownership.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.1.6_cron_monthly_perm_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.1.7_cron_d_perm_ownership.cfg b/etc/conf.d/9.1.7_cron_d_perm_ownership.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.1.7_cron_d_perm_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.1.8_cron_users.cfg b/etc/conf.d/9.1.8_cron_users.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.1.8_cron_users.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From 9451842e844df917dc2c5e4a17c28f3e134609b2 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Fri, 15 Apr 2016 14:24:45 +0200 Subject: [PATCH 48/64] 9.2.1_enable_cracklib.sh 9.2.2_enable_lockout_failed_password.sh 9.2.3_limit_password_reuse.sh 9.3.10_disable_sshd_setenv.sh 9.3.11_sshd_ciphers.sh 9.3.12_sshd_idle_timeout.sh 9.3.13_sshd_limit_access.sh 9.3.14_ssh_banner.sh 9.3.2_sshd_loglevel.sh 9.3.1_sshd_protocol.sh 9.3.3_sshd_conf_perm_ownership.sh 9.3.4_disable_x11_forwarding.sh 9.3.5_sshd_maxauthtries.sh 9.3.6_enable_sshd_ignorerhosts.sh 9.3.7_disable_sshd_hostbasedauthentication.sh 9.3.8_disable_root_login.sh 9.3.9_disable_sshd_permitemptypasswords.sh --- bin/hardening/9.1.7_cron_d_perm_ownership.sh | 2 +- bin/hardening/9.2.1_enable_cracklib.sh | 70 ++++++++++++ .../9.2.2_enable_lockout_failed_password.sh | 70 ++++++++++++ bin/hardening/9.2.3_limit_password_reuse.sh | 70 ++++++++++++ bin/hardening/9.3.10_disable_sshd_setenv.sh | 87 +++++++++++++++ bin/hardening/9.3.11_sshd_ciphers.sh | 87 +++++++++++++++ bin/hardening/9.3.12_sshd_idle_timeout.sh | 90 +++++++++++++++ bin/hardening/9.3.13_sshd_limit_access.sh | 104 ++++++++++++++++++ bin/hardening/9.3.14_ssh_banner.sh | 88 +++++++++++++++ bin/hardening/9.3.1_sshd_protocol.sh | 87 +++++++++++++++ bin/hardening/9.3.2_sshd_loglevel.sh | 87 +++++++++++++++ .../9.3.3_sshd_conf_perm_ownership.sh | 85 ++++++++++++++ bin/hardening/9.3.4_disable_x11_forwarding.sh | 87 +++++++++++++++ bin/hardening/9.3.5_sshd_maxauthtries.sh | 87 +++++++++++++++ .../9.3.6_enable_sshd_ignorerhosts.sh | 87 +++++++++++++++ ....7_disable_sshd_hostbasedauthentication.sh | 87 +++++++++++++++ bin/hardening/9.3.8_disable_root_login.sh | 87 +++++++++++++++ ...9.3.9_disable_sshd_permitemptypasswords.sh | 87 +++++++++++++++ etc/conf.d/9.2.1_enable_cracklib.cfg | 2 + .../9.2.2_enable_lockout_failed_password.cfg | 2 + etc/conf.d/9.2.3_limit_password_reuse.cfg | 2 + etc/conf.d/9.3.10_disable_sshd_setenv.cfg | 2 + etc/conf.d/9.3.11_sshd_ciphers.cfg | 2 + etc/conf.d/9.3.12_sshd_idle_timeout.cfg | 5 + etc/conf.d/9.3.13_sshd_limit_access.cfg | 9 ++ etc/conf.d/9.3.14_ssh_banner.cfg | 4 + etc/conf.d/9.3.1_sshd_protocol.cfg | 2 + etc/conf.d/9.3.2_sshd_loglevel.cfg | 2 + etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg | 2 + etc/conf.d/9.3.4_disable_x11_forwarding.cfg | 2 + etc/conf.d/9.3.5_sshd_maxauthtries.cfg | 2 + etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg | 2 + ...7_disable_sshd_hostbasedauthentication.cfg | 2 + etc/conf.d/9.3.8_disable_root_login.cfg | 2 + ....3.9_disable_sshd_permitemptypasswords.cfg | 2 + lib/utils.sh | 4 +- 36 files changed, 1496 insertions(+), 3 deletions(-) create mode 100755 bin/hardening/9.2.1_enable_cracklib.sh create mode 100755 bin/hardening/9.2.2_enable_lockout_failed_password.sh create mode 100755 bin/hardening/9.2.3_limit_password_reuse.sh create mode 100755 bin/hardening/9.3.10_disable_sshd_setenv.sh create mode 100755 bin/hardening/9.3.11_sshd_ciphers.sh create mode 100755 bin/hardening/9.3.12_sshd_idle_timeout.sh create mode 100755 bin/hardening/9.3.13_sshd_limit_access.sh create mode 100755 bin/hardening/9.3.14_ssh_banner.sh create mode 100755 bin/hardening/9.3.1_sshd_protocol.sh create mode 100755 bin/hardening/9.3.2_sshd_loglevel.sh create mode 100755 bin/hardening/9.3.3_sshd_conf_perm_ownership.sh create mode 100755 bin/hardening/9.3.4_disable_x11_forwarding.sh create mode 100755 bin/hardening/9.3.5_sshd_maxauthtries.sh create mode 100755 bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh create mode 100755 bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh create mode 100755 bin/hardening/9.3.8_disable_root_login.sh create mode 100755 bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh create mode 100644 etc/conf.d/9.2.1_enable_cracklib.cfg create mode 100644 etc/conf.d/9.2.2_enable_lockout_failed_password.cfg create mode 100644 etc/conf.d/9.2.3_limit_password_reuse.cfg create mode 100644 etc/conf.d/9.3.10_disable_sshd_setenv.cfg create mode 100644 etc/conf.d/9.3.11_sshd_ciphers.cfg create mode 100644 etc/conf.d/9.3.12_sshd_idle_timeout.cfg create mode 100644 etc/conf.d/9.3.13_sshd_limit_access.cfg create mode 100644 etc/conf.d/9.3.14_ssh_banner.cfg create mode 100644 etc/conf.d/9.3.1_sshd_protocol.cfg create mode 100644 etc/conf.d/9.3.2_sshd_loglevel.cfg create mode 100644 etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg create mode 100644 etc/conf.d/9.3.4_disable_x11_forwarding.cfg create mode 100644 etc/conf.d/9.3.5_sshd_maxauthtries.cfg create mode 100644 etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg create mode 100644 etc/conf.d/9.3.7_disable_sshd_hostbasedauthentication.cfg create mode 100644 etc/conf.d/9.3.8_disable_root_login.cfg create mode 100644 etc/conf.d/9.3.9_disable_sshd_permitemptypasswords.cfg diff --git a/bin/hardening/9.1.7_cron_d_perm_ownership.sh b/bin/hardening/9.1.7_cron_d_perm_ownership.sh index 4ce1da7..2d1399c 100755 --- a/bin/hardening/9.1.7_cron_d_perm_ownership.sh +++ b/bin/hardening/9.1.7_cron_d_perm_ownership.sh @@ -6,7 +6,7 @@ # # -# 9.1.2 Set User/Group Owner and Permission on /etc/crontab (Scored) +# 9.1.7 Set User/Group Owner and Permission on /etc/cron.d (Scored) # set -e # One error, it's over diff --git a/bin/hardening/9.2.1_enable_cracklib.sh b/bin/hardening/9.2.1_enable_cracklib.sh new file mode 100755 index 0000000..464305d --- /dev/null +++ b/bin/hardening/9.2.1_enable_cracklib.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='libpam-cracklib' +PATTERN='^password.*pam_cracklib.so' +FILE='/etc/pam.d/common-password' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + add_line_file_before_pattern $FILE "password requisite pam_cracklib.so retry=3 minlen=8 difok=3" "# pam-auth-update(8) for details." + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.2.2_enable_lockout_failed_password.sh b/bin/hardening/9.2.2_enable_lockout_failed_password.sh new file mode 100755 index 0000000..6215780 --- /dev/null +++ b/bin/hardening/9.2.2_enable_lockout_failed_password.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.2.2 Set Lockout for Failed Password Attempts (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='libpam-modules-bin' +PATTERN='^auth[[:space:]]*required[[:space:]]*pam_tally[2]?.so' +FILE='/etc/pam.d/login' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + add_line_file_before_pattern $FILE "auth required pam_tally.so onerr=fail deny=6 unlock_time=1800" "# Uncomment and edit \/etc\/security\/time.conf if you need to set" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.2.3_limit_password_reuse.sh b/bin/hardening/9.2.3_limit_password_reuse.sh new file mode 100755 index 0000000..b70ed54 --- /dev/null +++ b/bin/hardening/9.2.3_limit_password_reuse.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.2.3 Limit Password Reuse (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='libpam-modules' +PATTERN='^password.*remember' +FILE='/etc/pam.d/common-password' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN is not present in $FILE" + add_line_file_before_pattern $FILE "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" "# pam-auth-update(8) for details." + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.10_disable_sshd_setenv.sh b/bin/hardening/9.3.10_disable_sshd_setenv.sh new file mode 100755 index 0000000..a4c072b --- /dev/null +++ b/bin/hardening/9.3.10_disable_sshd_setenv.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.10 Do Not Allow Users to Set Environment Options (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='PermitUserEnvironment=no' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.11_sshd_ciphers.sh b/bin/hardening/9.3.11_sshd_ciphers.sh new file mode 100755 index 0000000..21b5d24 --- /dev/null +++ b/bin/hardening/9.3.11_sshd_ciphers.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.11 Use Only Approved Cipher in Counter Mode (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='Ciphers=aes128-ctr,aes192-ctr,aes256-ctr' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.12_sshd_idle_timeout.sh b/bin/hardening/9.3.12_sshd_idle_timeout.sh new file mode 100755 index 0000000..e888c8b --- /dev/null +++ b/bin/hardening/9.3.12_sshd_idle_timeout.sh @@ -0,0 +1,90 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.12 Set Idle Timeout Interval for User Login (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + OPTIONS="ClientAliveInterval=$SSHD_TIMEOUT ClientAliveCountMax=0" + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + if [ -z $SSHD_TIMEOUT ]; then + crit "SSHD_TIMEOUT is not set, please edit configuration file" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.13_sshd_limit_access.sh b/bin/hardening/9.3.13_sshd_limit_access.sh new file mode 100755 index 0000000..6446cfa --- /dev/null +++ b/bin/hardening/9.3.13_sshd_limit_access.sh @@ -0,0 +1,104 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.13 Limit Access via SSH (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + OPTIONS="AllowUsers='$ALLOWED_USERS' AllowGroups='$ALLOWED_GROUPS' DenyUsers='$DENIED_USERS' DenyGroups='$DENIED_GROUPS'" + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_VALUE=$(sed "s/'//g" <<< $SSH_VALUE) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + SSH_VALUE=$(sed "s/'//g" <<< $SSH_VALUE) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + if [ -z $ALLOWED_USERS ]; then + info "ALLOWED_USERS is not set, defaults to wildcard" + ALLOWED_USERS="*" + fi + if [ -z $ALLOWED_GROUPS ]; then + info "ALLOWED_GROUPS is not set, defaults to wildcard" + ALLOWED_GROUPS="*" + fi + if [ -z $DENIED_USERS ]; then + info "DENIED_USERS is not set, defaults to nobody" + DENIED_USERS="nobody" + fi + if [ -z $DENIED_GROUPS ]; then + info "DENIED_GROUPS is not set, defaults to nobody" + DENIED_GROUPS="nobody" + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.14_ssh_banner.sh b/bin/hardening/9.3.14_ssh_banner.sh new file mode 100755 index 0000000..8df24fa --- /dev/null +++ b/bin/hardening/9.3.14_ssh_banner.sh @@ -0,0 +1,88 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.14 Set SSH Banner (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + OPTIONS="Banner=$BANNER_FILE" + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + PATTERN="^$SSH_PARAM[[:space:]]*" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present and activated" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + if [ -z $BANNER_FILE ]; then + info "BANNER_FILE is not set, defaults to wildcard" + BANNER_FILE='/etc/issue.net' + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.1_sshd_protocol.sh b/bin/hardening/9.3.1_sshd_protocol.sh new file mode 100755 index 0000000..167b167 --- /dev/null +++ b/bin/hardening/9.3.1_sshd_protocol.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.1 Set SSH Protocol to 2 (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='Protocol=2' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload > /dev/null 2>&1 + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.2_sshd_loglevel.sh b/bin/hardening/9.3.2_sshd_loglevel.sh new file mode 100755 index 0000000..8114340 --- /dev/null +++ b/bin/hardening/9.3.2_sshd_loglevel.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.2 Set LogLevel to INFO (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='LogLevel=INFO' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload > /dev/null 2>&1 + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.3_sshd_conf_perm_ownership.sh b/bin/hardening/9.3.3_sshd_conf_perm_ownership.sh new file mode 100755 index 0000000..ca23cf7 --- /dev/null +++ b/bin/hardening/9.3.3_sshd_conf_perm_ownership.sh @@ -0,0 +1,85 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.3 Set Permissions on /etc/ssh/sshd_config (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/ssh/sshd_config' +PERMISSIONS='600' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.4_disable_x11_forwarding.sh b/bin/hardening/9.3.4_disable_x11_forwarding.sh new file mode 100755 index 0000000..5b3b2ae --- /dev/null +++ b/bin/hardening/9.3.4_disable_x11_forwarding.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.4 Disable SSH X11 Forwarding (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='X11Forwarding=no' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload > /dev/null 2>&1 + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.5_sshd_maxauthtries.sh b/bin/hardening/9.3.5_sshd_maxauthtries.sh new file mode 100755 index 0000000..79a6f40 --- /dev/null +++ b/bin/hardening/9.3.5_sshd_maxauthtries.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.5 Set SSH MaxAuthTries to 4 or Less (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='MaxAuthTries=4' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh b/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh new file mode 100755 index 0000000..bc550a6 --- /dev/null +++ b/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.6 Set SSH IgnoreRhosts to Yes (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='IgnoreRhosts=yes' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh b/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh new file mode 100755 index 0000000..faa23d4 --- /dev/null +++ b/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.7 Set SSH HostbasedAuthentication to No (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='HostbasedAuthentication=no' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.8_disable_root_login.sh b/bin/hardening/9.3.8_disable_root_login.sh new file mode 100755 index 0000000..96df935 --- /dev/null +++ b/bin/hardening/9.3.8_disable_root_login.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.8 Disable SSH Root Login (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='PermitRootLogin=no' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh b/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh new file mode 100755 index 0000000..383ca48 --- /dev/null +++ b/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.3.9 Set SSH PermitEmptyPasswords to No (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='openssh-server' +OPTIONS='PermitRootLogin=no' +FILE='/etc/ssh/sshd_config' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + /etc/init.d/ssh reload + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/9.2.1_enable_cracklib.cfg b/etc/conf.d/9.2.1_enable_cracklib.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.2.1_enable_cracklib.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.2.2_enable_lockout_failed_password.cfg b/etc/conf.d/9.2.2_enable_lockout_failed_password.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.2.2_enable_lockout_failed_password.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.2.3_limit_password_reuse.cfg b/etc/conf.d/9.2.3_limit_password_reuse.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.2.3_limit_password_reuse.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.3.10_disable_sshd_setenv.cfg b/etc/conf.d/9.3.10_disable_sshd_setenv.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.3.10_disable_sshd_setenv.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.3.11_sshd_ciphers.cfg b/etc/conf.d/9.3.11_sshd_ciphers.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.3.11_sshd_ciphers.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.3.12_sshd_idle_timeout.cfg b/etc/conf.d/9.3.12_sshd_idle_timeout.cfg new file mode 100644 index 0000000..c17c30f --- /dev/null +++ b/etc/conf.d/9.3.12_sshd_idle_timeout.cfg @@ -0,0 +1,5 @@ +# Configuration for script of same name +status=enabled +# In seconds, value of ClientAliveInterval, ClientAliveCountMax bedoing set to 0 +# Settles sshd idle timeout +SSHD_TIMEOUT=900 diff --git a/etc/conf.d/9.3.13_sshd_limit_access.cfg b/etc/conf.d/9.3.13_sshd_limit_access.cfg new file mode 100644 index 0000000..3373d5c --- /dev/null +++ b/etc/conf.d/9.3.13_sshd_limit_access.cfg @@ -0,0 +1,9 @@ +# Configuration for script of same name +status=enabled + +# Put here ssh user hardening list, there is a default in script to not break your configuration +# However, it can erase current configuration +ALLOWED_USERS='' +ALLOWED_GROUPS='' +DENIED_USERS='' +DENIED_GROUPS='' diff --git a/etc/conf.d/9.3.14_ssh_banner.cfg b/etc/conf.d/9.3.14_ssh_banner.cfg new file mode 100644 index 0000000..500c8d6 --- /dev/null +++ b/etc/conf.d/9.3.14_ssh_banner.cfg @@ -0,0 +1,4 @@ +# Configuration for script of same name +status=enabled +# Put here banner file, default to /etc/issue.net +BANNER_FILE="" diff --git a/etc/conf.d/9.3.1_sshd_protocol.cfg b/etc/conf.d/9.3.1_sshd_protocol.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.3.1_sshd_protocol.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.3.2_sshd_loglevel.cfg b/etc/conf.d/9.3.2_sshd_loglevel.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.3.2_sshd_loglevel.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg b/etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.3.4_disable_x11_forwarding.cfg b/etc/conf.d/9.3.4_disable_x11_forwarding.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.3.4_disable_x11_forwarding.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.3.5_sshd_maxauthtries.cfg b/etc/conf.d/9.3.5_sshd_maxauthtries.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.3.5_sshd_maxauthtries.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg b/etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.3.7_disable_sshd_hostbasedauthentication.cfg b/etc/conf.d/9.3.7_disable_sshd_hostbasedauthentication.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.3.7_disable_sshd_hostbasedauthentication.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.3.8_disable_root_login.cfg b/etc/conf.d/9.3.8_disable_root_login.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.3.8_disable_root_login.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.3.9_disable_sshd_permitemptypasswords.cfg b/etc/conf.d/9.3.9_disable_sshd_permitemptypasswords.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.3.9_disable_sshd_permitemptypasswords.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/lib/utils.sh b/lib/utils.sh index 384a15f..f382475 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -114,8 +114,8 @@ add_end_of_file() { local LINE=$2 debug "Adding $LINE at the end of $FILE" - backup_file "$1" - echo "$2" >> $FILE + backup_file "$FILE" + echo "$LINE" >> $FILE } add_line_file_before_pattern() { From dd9fac10d9b617a31ff645c78099eb4c42836a70 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Fri, 15 Apr 2016 19:29:26 +0200 Subject: [PATCH 49/64] 10.1.1_set_password_exp_days.sh 10.1.2_set_password_min_days_change.sh 10.1.3_set_password_exp_warning_days.sh 10.2_disable_system_accounts.sh 10.3_default_root_group.sh 10.4_default_umask.sh 9.4_secure_tty.sh 9.5_restrict_su.sh --- bin/hardening/10.1.1_set_password_exp_days.sh | 86 +++++++++++++++++++ .../10.1.2_set_password_min_days_change.sh | 86 +++++++++++++++++++ .../10.1.3_set_password_exp_warning_days.sh | 86 +++++++++++++++++++ bin/hardening/10.2_disable_system_accounts.sh | 65 ++++++++++++++ bin/hardening/10.3_default_root_group.sh | 54 ++++++++++++ bin/hardening/10.4_default_umask.sh | 60 +++++++++++++ bin/hardening/9.4_secure_tty.sh | 46 ++++++++++ bin/hardening/9.5_restrict_su.sh | 70 +++++++++++++++ etc/conf.d/10.1.1_set_password_exp_days.cfg | 2 + .../10.1.2_set_password_min_days_change.cfg | 2 + .../10.1.3_set_password_exp_warning_days.cfg | 2 + etc/conf.d/10.2_disable_system_accounts.cfg | 4 + etc/conf.d/10.3_default_root_group.cfg | 2 + etc/conf.d/10.4_default_umask.cfg | 2 + etc/conf.d/9.4_secure_tty.cfg | 2 + etc/conf.d/9.5_restrict_su.cfg | 2 + 16 files changed, 571 insertions(+) create mode 100755 bin/hardening/10.1.1_set_password_exp_days.sh create mode 100755 bin/hardening/10.1.2_set_password_min_days_change.sh create mode 100755 bin/hardening/10.1.3_set_password_exp_warning_days.sh create mode 100755 bin/hardening/10.2_disable_system_accounts.sh create mode 100755 bin/hardening/10.3_default_root_group.sh create mode 100755 bin/hardening/10.4_default_umask.sh create mode 100755 bin/hardening/9.4_secure_tty.sh create mode 100755 bin/hardening/9.5_restrict_su.sh create mode 100644 etc/conf.d/10.1.1_set_password_exp_days.cfg create mode 100644 etc/conf.d/10.1.2_set_password_min_days_change.cfg create mode 100644 etc/conf.d/10.1.3_set_password_exp_warning_days.cfg create mode 100644 etc/conf.d/10.2_disable_system_accounts.cfg create mode 100644 etc/conf.d/10.3_default_root_group.cfg create mode 100644 etc/conf.d/10.4_default_umask.cfg create mode 100644 etc/conf.d/9.4_secure_tty.cfg create mode 100644 etc/conf.d/9.5_restrict_su.cfg diff --git a/bin/hardening/10.1.1_set_password_exp_days.sh b/bin/hardening/10.1.1_set_password_exp_days.sh new file mode 100755 index 0000000..3e0a60d --- /dev/null +++ b/bin/hardening/10.1.1_set_password_exp_days.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 10.1.1 Set Password Expiration Days (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='login' +OPTIONS='PASS_MAX_DAYS=90' +FILE='/etc/login.defs' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/10.1.2_set_password_min_days_change.sh b/bin/hardening/10.1.2_set_password_min_days_change.sh new file mode 100755 index 0000000..136b0e2 --- /dev/null +++ b/bin/hardening/10.1.2_set_password_min_days_change.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 10.1.2 Set Password Change Minimum Number of Days (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='login' +OPTIONS='PASS_MIN_DAYS=7' +FILE='/etc/login.defs' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/10.1.3_set_password_exp_warning_days.sh b/bin/hardening/10.1.3_set_password_exp_warning_days.sh new file mode 100755 index 0000000..ce7b164 --- /dev/null +++ b/bin/hardening/10.1.3_set_password_exp_warning_days.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 10.1.3 Set Password Expiring Warning Days (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='login' +OPTIONS='PASS_MIN_DAYS=7' +FILE='/etc/login.defs' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + done + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + for SSH_OPTION in $OPTIONS; do + SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) + SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) + PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + warn "$PATTERN not present in $FILE, adding it" + does_pattern_exists_in_file $FILE "^$SSH_PARAM" + if [ $FNRET != 0 ]; then + add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" + else + info "Parameter $SSH_PARAM is present but with the wrong value, correcting" + replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" + fi + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/10.2_disable_system_accounts.sh b/bin/hardening/10.2_disable_system_accounts.sh new file mode 100755 index 0000000..1aa9421 --- /dev/null +++ b/bin/hardening/10.2_disable_system_accounts.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 10.2 Disable System Accounts (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +SHELL='/bin/false' +FILE='/etc/passwd' +RESULT='' + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if admin accounts have login different from $SHELL" + eval $(RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}' | grep -v "$EXCEPTIONS")) + if [ ! -z "$RESULT" ]; then + crit "Some admin accounts have not $SHELL as shell" + crit "$RESULT" + else + ok "All admin accounts deactivated" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + eval $(RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}' | grep -v "$EXCEPTIONS")) + if [ ! -z "$RESULT" ]; then + warn "Some admin accounts have not $SHELL as shell" + warn "$RESULT" + for USER in $( echo "$RESULT" | cut -d: -f 1 ); do + info "Setting $SHELL to $USER" + usermod -s $SHELL $USER + done + else + ok "All admin accounts deactivated, nothing to apply" + fi +} + +# This function will check config parameters required +check_config() { + if [ -z $EXCEPTIONS ]; then + EXCEPTIONS="@" + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/10.3_default_root_group.sh b/bin/hardening/10.3_default_root_group.sh new file mode 100755 index 0000000..a01fa34 --- /dev/null +++ b/bin/hardening/10.3_default_root_group.sh @@ -0,0 +1,54 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 10.1.3 Set Password Expiring Warning Days (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +USER='root' +EXPECTED_GID='0' + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then + ok "Root group has GID $EXPECTED_GID" + else + crit "Root group has not GID $EXPECTED_GID" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $(grep "^root:" /etc/passwd | cut -f4 -d:) = 0 ]; then + ok "Root group has GID $EXPECTED_GID" + else + warn "Root group has not GID $EXPECTED_GID" + usermod -g $EXPECTED_GID $USER + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/10.4_default_umask.sh b/bin/hardening/10.4_default_umask.sh new file mode 100755 index 0000000..577a62e --- /dev/null +++ b/bin/hardening/10.4_default_umask.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 10.4 Set Default umask for Users (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +USER='root' +PATTERN='umask 077' +FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/*' +FILE='/etc/profile.d/CIS_10.4_umask.sh' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILES_TO_SEARCH" + else + ok "$PATTERN present in $FILES_TO_SEARCH" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" + if [ $FNRET != 0 ]; then + warn "$PATTERN not present in $FILES_TO_SEARCH" + touch $FILE + chmod 700 $FILE + add_end_of_file $FILE "$PATTERN" + else + ok "$PATTERN present in $FILES_TO_SEARCH" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.4_secure_tty.sh b/bin/hardening/9.4_secure_tty.sh new file mode 100755 index 0000000..ddeb0d9 --- /dev/null +++ b/bin/hardening/9.4_secure_tty.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.4 Restrict root Login to System Console (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/securetty' + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Remove terminal entries in $FILE for any consoles that are not in a physically secure location." + info "No measure here, please review the file by yourself" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Remove terminal entries in $FILE for any consoles that are not in a physically secure location." + info "No measure here, please review the file by yourself" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.5_restrict_su.sh b/bin/hardening/9.5_restrict_su.sh new file mode 100755 index 0000000..70d6922 --- /dev/null +++ b/bin/hardening/9.5_restrict_su.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PACKAGE='login' +PATTERN='^auth[[:space:]]*required[[:space:]]*pam_wheel.so' +FILE='/etc/pam.d/su' + +# This function will be called if the script status is on enabled / audit mode +audit () { + is_pkg_installed $PACKAGE + if [ $FNRET != 0 ]; then + crit "$PACKAGE is not installed !" + else + ok "$PACKAGE is installed" + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + fi + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + is_pkg_installed $PACKAGE + if [ $FNRET = 0 ]; then + ok "$PACKAGE is installed" + else + crit "$PACKAGE is absent, installing it" + apt_install $PACKAGE + fi + does_pattern_exists_in_file $FILE $PATTERN + if [ $FNRET = 0 ]; then + ok "$PATTERN is present in $FILE" + else + crit "$PATTERN is not present in $FILE" + add_line_file_before_pattern $FILE "auth required pam_wheel.so" "# Uncomment this if you want wheel members to be able to" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/10.1.1_set_password_exp_days.cfg b/etc/conf.d/10.1.1_set_password_exp_days.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/10.1.1_set_password_exp_days.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/10.1.2_set_password_min_days_change.cfg b/etc/conf.d/10.1.2_set_password_min_days_change.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/10.1.2_set_password_min_days_change.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/10.1.3_set_password_exp_warning_days.cfg b/etc/conf.d/10.1.3_set_password_exp_warning_days.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/10.1.3_set_password_exp_warning_days.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/10.2_disable_system_accounts.cfg b/etc/conf.d/10.2_disable_system_accounts.cfg new file mode 100644 index 0000000..4f45edf --- /dev/null +++ b/etc/conf.d/10.2_disable_system_accounts.cfg @@ -0,0 +1,4 @@ +# Configuration for script of same name +status=enabled +# Put here your exceptions concerning admin shells +EXCEPTIONS="" diff --git a/etc/conf.d/10.3_default_root_group.cfg b/etc/conf.d/10.3_default_root_group.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/10.3_default_root_group.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/10.4_default_umask.cfg b/etc/conf.d/10.4_default_umask.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/10.4_default_umask.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.4_secure_tty.cfg b/etc/conf.d/9.4_secure_tty.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.4_secure_tty.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/9.5_restrict_su.cfg b/etc/conf.d/9.5_restrict_su.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/9.5_restrict_su.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From da30fa0b48894cf3630216165e76002b06ce0c88 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Fri, 15 Apr 2016 23:38:48 +0200 Subject: [PATCH 50/64] 10.5_lock_inactive_user_account.sh 11.1_warning_banners.sh 11.2_remove_os_info_warning_banners.sh 11.3_graphical_warning_banners.sh --- bin/hardening/10.4_default_umask.sh | 2 +- .../10.5_lock_inactive_user_account.sh | 46 +++++++++++ bin/hardening/11.1_warning_banners.sh | 80 +++++++++++++++++++ .../11.2_remove_os_info_warning_banners.sh | 60 ++++++++++++++ .../11.3_graphical_warning_banners.sh | 42 ++++++++++ bin/hardening/9.5_restrict_su.sh | 2 +- .../10.5_lock_inactive_user_account.cfg | 2 + etc/conf.d/11.1_warning_banners.cfg | 2 + .../11.2_remove_os_info_warning_banners.cfg | 2 + etc/conf.d/11.3_graphical_warning_banners.cfg | 2 + lib/utils.sh | 18 ++++- 11 files changed, 254 insertions(+), 4 deletions(-) create mode 100755 bin/hardening/10.5_lock_inactive_user_account.sh create mode 100755 bin/hardening/11.1_warning_banners.sh create mode 100755 bin/hardening/11.2_remove_os_info_warning_banners.sh create mode 100755 bin/hardening/11.3_graphical_warning_banners.sh create mode 100644 etc/conf.d/10.5_lock_inactive_user_account.cfg create mode 100644 etc/conf.d/11.1_warning_banners.cfg create mode 100644 etc/conf.d/11.2_remove_os_info_warning_banners.cfg create mode 100644 etc/conf.d/11.3_graphical_warning_banners.cfg diff --git a/bin/hardening/10.4_default_umask.sh b/bin/hardening/10.4_default_umask.sh index 577a62e..5e09853 100755 --- a/bin/hardening/10.4_default_umask.sh +++ b/bin/hardening/10.4_default_umask.sh @@ -13,7 +13,7 @@ set -e # One error, it's over set -u # One variable unset, it's over USER='root' -PATTERN='umask 077' +PATTERN='umask 644' FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/*' FILE='/etc/profile.d/CIS_10.4_umask.sh' diff --git a/bin/hardening/10.5_lock_inactive_user_account.sh b/bin/hardening/10.5_lock_inactive_user_account.sh new file mode 100755 index 0000000..6d82eff --- /dev/null +++ b/bin/hardening/10.5_lock_inactive_user_account.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 10.4 Set Default umask for Users (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Looking at the manual of useradd, it seems that this recommendation does not fill the title" + info "The number of days after a password expires until the account is permanently disabled." + info "Which is not inactive users per se" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Looking at the manual of useradd, it seems that this recommendation does not fill the title" + info "The number of days after a password expires until the account is permanently disabled." + info "Which is not inactive users per se" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/11.1_warning_banners.sh b/bin/hardening/11.1_warning_banners.sh new file mode 100755 index 0000000..b4620ce --- /dev/null +++ b/bin/hardening/11.1_warning_banners.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 11.1 Set Warning Banner for Standard Login Services (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +PERMISSIONS='644' +USER='root' +GROUP='root' +FILES='/etc/motd /etc/issue /etc/issue.net' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for FILE in $FILES; do + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for FILE in $FILES; do + does_file_exist $FILE + if [ $FNRET != 0 ]; then + info "$FILE does not exist" + touch $FILE + fi + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + warn "$FILE is not $USER:$GROUP ownership set" + chown $USER:$GROUP $FILE + fi + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/11.2_remove_os_info_warning_banners.sh b/bin/hardening/11.2_remove_os_info_warning_banners.sh new file mode 100755 index 0000000..9ed0bc9 --- /dev/null +++ b/bin/hardening/11.2_remove_os_info_warning_banners.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 11.2 Remove OS Information from Login Warning Banners (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILES='/etc/motd /etc/issue /etc/issue.net' +PATTERN='(\\v|\\r|\\m|\\s)' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for FILE in $FILES; do + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + crit "$PATTERN is present in $FILE" + else + ok "$PATTERN is not present in $FILE" + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for FILE in $FILES; do + does_pattern_exists_in_file $FILE "$PATTERN" + if [ $FNRET = 0 ]; then + warn "$PATTERN is present in $FILE" + delete_line_in_file $FILE $PATTERN + else + ok "$PATTERN is not present in $FILE" + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/11.3_graphical_warning_banners.sh b/bin/hardening/11.3_graphical_warning_banners.sh new file mode 100755 index 0000000..7126b93 --- /dev/null +++ b/bin/hardening/11.3_graphical_warning_banners.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 11.3 Set Graphical Warning Banner (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Not implemented yet" +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Not implemented yet" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/9.5_restrict_su.sh b/bin/hardening/9.5_restrict_su.sh index 70d6922..90737da 100755 --- a/bin/hardening/9.5_restrict_su.sh +++ b/bin/hardening/9.5_restrict_su.sh @@ -6,7 +6,7 @@ # # -# 9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib (Scored) +# 9.5 Restrict Access to the su Command (Scored) # set -e # One error, it's over diff --git a/etc/conf.d/10.5_lock_inactive_user_account.cfg b/etc/conf.d/10.5_lock_inactive_user_account.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/10.5_lock_inactive_user_account.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/11.1_warning_banners.cfg b/etc/conf.d/11.1_warning_banners.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/11.1_warning_banners.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/11.2_remove_os_info_warning_banners.cfg b/etc/conf.d/11.2_remove_os_info_warning_banners.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/11.2_remove_os_info_warning_banners.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/11.3_graphical_warning_banners.cfg b/etc/conf.d/11.3_graphical_warning_banners.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/11.3_graphical_warning_banners.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/lib/utils.sh b/lib/utils.sh index f382475..adc3e30 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -123,8 +123,9 @@ add_line_file_before_pattern() { local LINE=$2 local PATTERN=$3 - backup_file "$1" + backup_file "$FILE" debug "Inserting $LINE before $PATTERN in $FILE" + PATTERN=$(sed 's@/@\/@g' <<< $PATTERN) debug "sed -i '/$PATTERN/i $LINE' $FILE" sed -i "/$PATTERN/i $LINE" $FILE FNRET=0 @@ -135,13 +136,26 @@ replace_in_file() { local SOURCE=$2 local DESTINATION=$3 - backup_file "$1" + backup_file "$FILE" debug "Replacing $SOURCE to $DESTINATION in $FILE" + SOURCE=$(sed 's@/@\/@g' <<< $SOURCE) debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE" sed -i "s/$SOURCE/$DESTINATION/g" $FILE FNRET=0 } +delete_line_in_file() { + local FILE=$1 + local PATTERN=$2 + + backup_file "$FILE" + debug "Deleting lines from $FILE containing $PATTERN" + PATTERN=$(sed 's@/@\/@g' <<< $PATTERN) + debug "sed -i '/$PATTERN/d' $FILE" + sed -i "/$PATTERN/d" $FILE + FNRET=0 +} + # # Users and groups # From d241ae57f97e082de837eb9be3234e4401939004 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Sat, 16 Apr 2016 00:26:19 +0200 Subject: [PATCH 51/64] 12.10_find_suid_files.sh 12.1_etc_passwd_permissions.sh 12.2_etc_shadow_permissions.sh 12.3_etc_group_permissions.sh 12.4_etc_passwd_ownership.sh 12.5_etc_shadow_ownership.sh 12.6_etc_group_ownership.sh 12.7_find_world_writable_file.sh 12.8_find_unowned_files.sh 12.9_find_ungrouped_files.sh --- bin/hardening/12.10_find_suid_files.sh | 58 +++++++++++++++ bin/hardening/12.1_etc_passwd_permissions.sh | 56 +++++++++++++++ bin/hardening/12.2_etc_shadow_permissions.sh | 56 +++++++++++++++ bin/hardening/12.3_etc_group_permissions.sh | 56 +++++++++++++++ bin/hardening/12.4_etc_passwd_ownership.sh | 71 +++++++++++++++++++ bin/hardening/12.5_etc_shadow_ownership.sh | 71 +++++++++++++++++++ bin/hardening/12.6_etc_group_ownership.sh | 71 +++++++++++++++++++ .../12.7_find_world_writable_file.sh | 57 +++++++++++++++ bin/hardening/12.8_find_unowned_files.sh | 59 +++++++++++++++ bin/hardening/12.9_find_ungrouped_files.sh | 59 +++++++++++++++ etc/conf.d/12.10_find_suid_files.cfg | 5 ++ etc/conf.d/12.1_etc_passwd_permissions.cfg | 2 + etc/conf.d/12.2_etc_shadow_permissions.cfg | 2 + etc/conf.d/12.3_etc_group_permissions.cfg | 2 + etc/conf.d/12.4_etc_passwd_ownership.cfg | 2 + etc/conf.d/12.5_etc_shadow_ownership.cfg | 2 + etc/conf.d/12.6_etc_group_ownership.cfg | 2 + etc/conf.d/12.7_find_world_writable_file.cfg | 2 + etc/conf.d/12.8_find_unowned_files.cfg | 2 + etc/conf.d/12.9_find_ungrouped_files.cfg | 2 + 20 files changed, 637 insertions(+) create mode 100755 bin/hardening/12.10_find_suid_files.sh create mode 100755 bin/hardening/12.1_etc_passwd_permissions.sh create mode 100755 bin/hardening/12.2_etc_shadow_permissions.sh create mode 100755 bin/hardening/12.3_etc_group_permissions.sh create mode 100755 bin/hardening/12.4_etc_passwd_ownership.sh create mode 100755 bin/hardening/12.5_etc_shadow_ownership.sh create mode 100755 bin/hardening/12.6_etc_group_ownership.sh create mode 100755 bin/hardening/12.7_find_world_writable_file.sh create mode 100755 bin/hardening/12.8_find_unowned_files.sh create mode 100755 bin/hardening/12.9_find_ungrouped_files.sh create mode 100644 etc/conf.d/12.10_find_suid_files.cfg create mode 100644 etc/conf.d/12.1_etc_passwd_permissions.cfg create mode 100644 etc/conf.d/12.2_etc_shadow_permissions.cfg create mode 100644 etc/conf.d/12.3_etc_group_permissions.cfg create mode 100644 etc/conf.d/12.4_etc_passwd_ownership.cfg create mode 100644 etc/conf.d/12.5_etc_shadow_ownership.cfg create mode 100644 etc/conf.d/12.6_etc_group_ownership.cfg create mode 100644 etc/conf.d/12.7_find_world_writable_file.cfg create mode 100644 etc/conf.d/12.8_find_unowned_files.cfg create mode 100644 etc/conf.d/12.9_find_ungrouped_files.cfg diff --git a/bin/hardening/12.10_find_suid_files.sh b/bin/hardening/12.10_find_suid_files.sh new file mode 100755 index 0000000..c6566f1 --- /dev/null +++ b/bin/hardening/12.10_find_suid_files.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 12.10 Find SUID System Executables (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if there is suid files" + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 -print) + for BINARY in $RESULT; do + if grep -q $BINARY <<< "$EXCEPTIONS"; then + debug "$BINARY is confirmed as an exception" + + RESULT=$(sed '!'"$BINARY"'!d' <<< $RESULT) + fi + done + if [ ! -z "$RESULT" ]; then + crit "Some world writable file are present" + FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') + crit "$FORMATTED_RESULT" + else + ok "No world writable files found" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Removing suid on valid binary may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + # No param for this function + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/12.1_etc_passwd_permissions.sh b/bin/hardening/12.1_etc_passwd_permissions.sh new file mode 100755 index 0000000..3b6ffc4 --- /dev/null +++ b/bin/hardening/12.1_etc_passwd_permissions.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 12.1 Verify Permissions on /etc/passwd (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/passwd' +PERMISSIONS='644' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/12.2_etc_shadow_permissions.sh b/bin/hardening/12.2_etc_shadow_permissions.sh new file mode 100755 index 0000000..774b470 --- /dev/null +++ b/bin/hardening/12.2_etc_shadow_permissions.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 12.2 Verify Permissions on /etc/shadow (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/shadow' +PERMISSIONS='640' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/12.3_etc_group_permissions.sh b/bin/hardening/12.3_etc_group_permissions.sh new file mode 100755 index 0000000..acfbb87 --- /dev/null +++ b/bin/hardening/12.3_etc_group_permissions.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 12.3 Verify Permissions on /etc/group (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/group' +PERMISSIONS='644' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + info "fixing $FILE permissions to $PERMISSIONS" + chmod 0$PERMISSIONS $FILE + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/12.4_etc_passwd_ownership.sh b/bin/hardening/12.4_etc_passwd_ownership.sh new file mode 100755 index 0000000..e33312d --- /dev/null +++ b/bin/hardening/12.4_etc_passwd_ownership.sh @@ -0,0 +1,71 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 12.4 Verify User/Group Ownership on /etc/passwd (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/passwd' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + info "fixing $FILE ownership to $USER:$GROUP" + chown $USER:$GROUP $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/12.5_etc_shadow_ownership.sh b/bin/hardening/12.5_etc_shadow_ownership.sh new file mode 100755 index 0000000..e7c26cd --- /dev/null +++ b/bin/hardening/12.5_etc_shadow_ownership.sh @@ -0,0 +1,71 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 12.5 Verify User/Group Ownership on /etc/shadow (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/shadow' +USER='root' +GROUP='shadow' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + info "fixing $FILE ownership to $USER:$GROUP" + chown $USER:$GROUP $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/12.6_etc_group_ownership.sh b/bin/hardening/12.6_etc_group_ownership.sh new file mode 100755 index 0000000..c2c0a88 --- /dev/null +++ b/bin/hardening/12.6_etc_group_ownership.sh @@ -0,0 +1,71 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 12.6 Verify User/Group Ownership on /etc/group (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/group' +USER='root' +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + crit "$FILE is not $USER:$GROUP ownership set" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + has_file_correct_ownership $FILE $USER $GROUP + if [ $FNRET = 0 ]; then + ok "$FILE has correct ownership" + else + info "fixing $FILE ownership to $USER:$GROUP" + chown $USER:$GROUP $FILE + fi +} + +# This function will check config parameters required +check_config() { + does_user_exist $USER + if [ $FNRET != 0 ]; then + crit "$USER does not exist" + exit 128 + fi + does_group_exist $GROUP + if [ $FNRET != 0 ]; then + crit "$GROUP does not exist" + exit 128 + fi + does_file_exist $FILE + if [ $FNRET != 0 ]; then + crit "$FILE does not exist" + exit 128 + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/12.7_find_world_writable_file.sh b/bin/hardening/12.7_find_world_writable_file.sh new file mode 100755 index 0000000..f530dd6 --- /dev/null +++ b/bin/hardening/12.7_find_world_writable_file.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 12.7 Find World Writable Files (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if there is world writable files" + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null) + if [ ! -z "$RESULT" ]; then + crit "Some world writable file are present" + FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') + crit "$FORMATTED_RESULT" + else + ok "No world writable files found" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null) + if [ ! -z "$RESULT" ]; then + warn "chmoding o-w all files in the system" + df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print 2>/dev/null| xargs chmod o-w + else + ok "No world writable files found, nothing to apply" + fi +} + +# This function will check config parameters required +check_config() { + # No param for this function + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/12.8_find_unowned_files.sh b/bin/hardening/12.8_find_unowned_files.sh new file mode 100755 index 0000000..7b1936c --- /dev/null +++ b/bin/hardening/12.8_find_unowned_files.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 12.8 Find Un-owned Files and Directories (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +USER='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if there is unowned files" + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null) + if [ ! -z "$RESULT" ]; then + crit "Some world writable file are present" + FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') + crit "$FORMATTED_RESULT" + else + ok "No world writable files found" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls 2>/dev/null) + if [ ! -z "$RESULT" ]; then + warn "chmowing all unowned files in the system" + df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -print 2>/dev/null | xargs chown $USER + else + ok "No world writable files found, nothing to apply" + fi +} + +# This function will check config parameters required +check_config() { + # No param for this function + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/12.9_find_ungrouped_files.sh b/bin/hardening/12.9_find_ungrouped_files.sh new file mode 100755 index 0000000..3ccb671 --- /dev/null +++ b/bin/hardening/12.9_find_ungrouped_files.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 12.9 Find Un-grouped Files and Directories (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +GROUP='root' + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if there is unowned files" + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null) + if [ ! -z "$RESULT" ]; then + crit "Some world writable file are present" + FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') + crit "$FORMATTED_RESULT" + else + ok "No world writable files found" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls 2>/dev/null) + if [ ! -z "$RESULT" ]; then + warn "chmowing all ungrouped files in the system" + df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -print 2>/dev/null | xargs chgrp $GROUP + else + ok "No world writable files found, nothing to apply" + fi +} + +# This function will check config parameters required +check_config() { + # No param for this function + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/12.10_find_suid_files.cfg b/etc/conf.d/12.10_find_suid_files.cfg new file mode 100644 index 0000000..329e0ff --- /dev/null +++ b/etc/conf.d/12.10_find_suid_files.cfg @@ -0,0 +1,5 @@ +# Configuration for script of same name +status=enabled + +# Put Here your valid suid binaries so that they do not appear during the audit +EXCEPTIONS="/bin/mount /bin/ping /bin/ping6 /bin/su /bin/umount /usr/bin/chfn /usr/bin/chsh /usr/bin/fping /usr/bin/fping6 /usr/bin/gpasswd /usr/bin/mtr /usr/bin/newgrp /usr/bin/passwd /usr/bin/sudo /usr/bin/sudoedit /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown" diff --git a/etc/conf.d/12.1_etc_passwd_permissions.cfg b/etc/conf.d/12.1_etc_passwd_permissions.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/12.1_etc_passwd_permissions.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/12.2_etc_shadow_permissions.cfg b/etc/conf.d/12.2_etc_shadow_permissions.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/12.2_etc_shadow_permissions.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/12.3_etc_group_permissions.cfg b/etc/conf.d/12.3_etc_group_permissions.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/12.3_etc_group_permissions.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/12.4_etc_passwd_ownership.cfg b/etc/conf.d/12.4_etc_passwd_ownership.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/12.4_etc_passwd_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/12.5_etc_shadow_ownership.cfg b/etc/conf.d/12.5_etc_shadow_ownership.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/12.5_etc_shadow_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/12.6_etc_group_ownership.cfg b/etc/conf.d/12.6_etc_group_ownership.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/12.6_etc_group_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/12.7_find_world_writable_file.cfg b/etc/conf.d/12.7_find_world_writable_file.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/12.7_find_world_writable_file.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/12.8_find_unowned_files.cfg b/etc/conf.d/12.8_find_unowned_files.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/12.8_find_unowned_files.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/12.9_find_ungrouped_files.cfg b/etc/conf.d/12.9_find_ungrouped_files.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/12.9_find_ungrouped_files.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From fffd9842d6e374e7375e623b0bb393c1bfbb128e Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Sat, 16 Apr 2016 12:57:24 +0200 Subject: [PATCH 52/64] 12.11_find_sgid_files.sh --- bin/hardening/10.2_disable_system_accounts.sh | 32 +++++++++- bin/hardening/12.10_find_suid_files.sh | 7 +-- bin/hardening/12.11_find_sgid_files.sh | 58 +++++++++++++++++++ etc/conf.d/10.2_disable_system_accounts.cfg | 2 +- etc/conf.d/12.11_find_sgid_files.cfg | 4 ++ 5 files changed, 95 insertions(+), 8 deletions(-) create mode 100755 bin/hardening/12.11_find_sgid_files.sh create mode 100644 etc/conf.d/12.11_find_sgid_files.cfg diff --git a/bin/hardening/10.2_disable_system_accounts.sh b/bin/hardening/10.2_disable_system_accounts.sh index 1aa9421..7821e66 100755 --- a/bin/hardening/10.2_disable_system_accounts.sh +++ b/bin/hardening/10.2_disable_system_accounts.sh @@ -19,7 +19,20 @@ RESULT='' # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if admin accounts have login different from $SHELL" - eval $(RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}' | grep -v "$EXCEPTIONS")) + RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}') + for LINE in $RESULT; do + debug "line : $LINE" + ACCOUNT=$( echo $LINE | cut -d: -f 1 ) + debug "Account : $ACCOUNT" + debug "Exceptions : $EXCEPTIONS" + debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT" + if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then + debug "$ACCOUNT is confirmed as an exception" + RESULT=$(sed "s!$LINE!!" <<< "$RESULT") + else + debug "$ACCOUNT not found in exceptions" + fi + done if [ ! -z "$RESULT" ]; then crit "Some admin accounts have not $SHELL as shell" crit "$RESULT" @@ -30,7 +43,20 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - eval $(RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}' | grep -v "$EXCEPTIONS")) + RESULT=$(egrep -v "^\+" $FILE | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}') + for LINE in $RESULT; do + debug "line : $LINE" + ACCOUNT=$( echo $LINE | cut -d: -f 1 ) + debug "Account : $ACCOUNT" + debug "Exceptions : $EXCEPTIONS" + debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT" + if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then + debug "$ACCOUNT is confirmed as an exception" + RESULT=$(sed "s!$LINE!!" <<< "$RESULT") + else + debug "$ACCOUNT not found in exceptions" + fi + done if [ ! -z "$RESULT" ]; then warn "Some admin accounts have not $SHELL as shell" warn "$RESULT" @@ -45,7 +71,7 @@ apply () { # This function will check config parameters required check_config() { - if [ -z $EXCEPTIONS ]; then + if [ -z "$EXCEPTIONS" ]; then EXCEPTIONS="@" fi } diff --git a/bin/hardening/12.10_find_suid_files.sh b/bin/hardening/12.10_find_suid_files.sh index c6566f1..f43cbc0 100755 --- a/bin/hardening/12.10_find_suid_files.sh +++ b/bin/hardening/12.10_find_suid_files.sh @@ -19,16 +19,15 @@ audit () { for BINARY in $RESULT; do if grep -q $BINARY <<< "$EXCEPTIONS"; then debug "$BINARY is confirmed as an exception" - - RESULT=$(sed '!'"$BINARY"'!d' <<< $RESULT) + RESULT=$(sed "s!$BINARY!!" <<< $RESULT) fi done if [ ! -z "$RESULT" ]; then - crit "Some world writable file are present" + crit "Some suid files are present" FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') crit "$FORMATTED_RESULT" else - ok "No world writable files found" + ok "No unknown suid files found" fi } diff --git a/bin/hardening/12.11_find_sgid_files.sh b/bin/hardening/12.11_find_sgid_files.sh new file mode 100755 index 0000000..783be7e --- /dev/null +++ b/bin/hardening/12.11_find_sgid_files.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 12.11 Find SGID System Executables (Not Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if there is sgid files" + RESULT=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 -print) + for BINARY in $RESULT; do + if grep -q $BINARY <<< "$EXCEPTIONS"; then + debug "$BINARY is confirmed as an exception" + RESULT=$(sed "s!$BINARY!!" <<< $RESULT) + fi + done + if [ ! -z "$RESULT" ]; then + crit "Some sgid files are present" + FORMATTED_RESULT=$(sed "s/ /\n/g" <<< $RESULT | sort | uniq | tr '\n' ' ') + crit "$FORMATTED_RESULT" + else + ok "No unknown sgid files found" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Removing sgid on valid binary may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + if [ -z "$EXCEPTIONS" ]; then + EXCEPTIONS="@" + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/10.2_disable_system_accounts.cfg b/etc/conf.d/10.2_disable_system_accounts.cfg index 4f45edf..3ddfab4 100644 --- a/etc/conf.d/10.2_disable_system_accounts.cfg +++ b/etc/conf.d/10.2_disable_system_accounts.cfg @@ -1,4 +1,4 @@ # Configuration for script of same name status=enabled -# Put here your exceptions concerning admin shells +# Put here your exceptions concerning admin accounts shells separated by spaces EXCEPTIONS="" diff --git a/etc/conf.d/12.11_find_sgid_files.cfg b/etc/conf.d/12.11_find_sgid_files.cfg new file mode 100644 index 0000000..09b501c --- /dev/null +++ b/etc/conf.d/12.11_find_sgid_files.cfg @@ -0,0 +1,4 @@ +# Configuration for script of same name +status=enabled +# Put here valid binaries with sgid enabled separated by spaces +EXCEPTIONS="/sbin/unix_chkpwd /usr/bin/bsd-write /usr/bin/chage /usr/bin/crontab /usr/bin/expiry /usr/bin/mutt_dotlock /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/sbin/postdrop /usr/sbin/postqueue" From dbc24bb8d74a41bad9e813112616e72d190fc4a5 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Sat, 16 Apr 2016 15:10:14 +0200 Subject: [PATCH 53/64] 13.1_remove_empry_password_field.sh --- .../13.1_remove_empry_password_field.sh | 60 +++++++++++++++++++ .../13.1_remove_empry_password_field.cfg | 2 + etc/hardening.cfg | 2 +- 3 files changed, 63 insertions(+), 1 deletion(-) create mode 100755 bin/hardening/13.1_remove_empry_password_field.sh create mode 100644 etc/conf.d/13.1_remove_empry_password_field.cfg diff --git a/bin/hardening/13.1_remove_empry_password_field.sh b/bin/hardening/13.1_remove_empry_password_field.sh new file mode 100755 index 0000000..db05a19 --- /dev/null +++ b/bin/hardening/13.1_remove_empry_password_field.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.1 Ensure Password Fields are Not Empty (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/shadow' + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if accounts have empty passwords" + RESULT=$(/bin/cat $FILE | /usr/bin/awk -F: '($2 == "" ) { print $1 }') + if [ ! -z "$RESULT" ]; then + crit "Some accounts have empty passwords" + crit $RESULT + else + ok "All accounts have a password" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + RESULT=$(/bin/cat $FILE | /usr/bin/awk -F: '($2 == "" ) { print $1 }') + if [ ! -z "$RESULT" ]; then + warn "Some accounts have empty passwords" + for ACCOUNT in $RESULT; do + info "Locking $ACCOUNT" + passwd -l $ACCOUNT >/dev/null 2>&1 + done + else + ok "All accounts have a password" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/13.1_remove_empry_password_field.cfg b/etc/conf.d/13.1_remove_empry_password_field.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.1_remove_empry_password_field.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/hardening.cfg b/etc/hardening.cfg index d7cbc71..2697cd8 100644 --- a/etc/hardening.cfg +++ b/etc/hardening.cfg @@ -4,6 +4,6 @@ # Valid values are debug info ok warning error LOGLEVEL=debug -# Backup directory, every file touched by hardennign will be backuped here, with versionning +# Backup directory, every file modified by hardening will be backuped here, with versionning # Means that if a file is modified more than once during the process, you will have hardening step diffs in the folder BACKUPDIR="$CIS_ROOT_DIR/tmp/backups" From b24a415dcedd3b760f5bb5baac2beda88944dd92 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Sat, 16 Apr 2016 17:25:48 +0200 Subject: [PATCH 54/64] 13.1_remove_empty_password_field.sh 13.2_remove_legacy_passwd_entries.sh 13.3_remove_legacy_shadow_entries.sh 13.4_remove_legacy_group_entries.sh 13.5_find_0_uid_non_root_account.sh 13.6_sanitize_root_path.sh --- bin/hardening/10.3_default_root_group.sh | 2 +- .../10.5_lock_inactive_user_account.sh | 2 +- ...sh => 13.1_remove_empty_password_field.sh} | 4 +- .../13.2_remove_legacy_passwd_entries.sh | 61 ++++++++++++++ .../13.3_remove_legacy_shadow_entries.sh | 61 ++++++++++++++ .../13.4_remove_legacy_group_entries.sh | 61 ++++++++++++++ .../13.5_find_0_uid_non_root_account.sh | 65 ++++++++++++++ bin/hardening/13.6_sanitize_root_path.sh | 84 +++++++++++++++++++ bin/hardenning.sh | 16 ++++ ...g => 13.1_remove_empty_password_field.cfg} | 0 .../13.2_remove_legacy_passwd_entries.cfg | 2 + .../13.3_remove_legacy_shadow_entries.cfg | 2 + .../13.4_remove_legacy_group_entries.cfg | 2 + .../13.5_find_0_uid_non_root_account.cfg | 4 + etc/conf.d/13.6_sanitize_root_path.cfg | 2 + lib/utils.sh | 6 +- 16 files changed, 367 insertions(+), 7 deletions(-) rename bin/hardening/{13.1_remove_empry_password_field.sh => 13.1_remove_empty_password_field.sh} (90%) create mode 100755 bin/hardening/13.2_remove_legacy_passwd_entries.sh create mode 100755 bin/hardening/13.3_remove_legacy_shadow_entries.sh create mode 100755 bin/hardening/13.4_remove_legacy_group_entries.sh create mode 100755 bin/hardening/13.5_find_0_uid_non_root_account.sh create mode 100755 bin/hardening/13.6_sanitize_root_path.sh create mode 100644 bin/hardenning.sh rename etc/conf.d/{13.1_remove_empry_password_field.cfg => 13.1_remove_empty_password_field.cfg} (100%) create mode 100644 etc/conf.d/13.2_remove_legacy_passwd_entries.cfg create mode 100644 etc/conf.d/13.3_remove_legacy_shadow_entries.cfg create mode 100644 etc/conf.d/13.4_remove_legacy_group_entries.cfg create mode 100644 etc/conf.d/13.5_find_0_uid_non_root_account.cfg create mode 100644 etc/conf.d/13.6_sanitize_root_path.cfg diff --git a/bin/hardening/10.3_default_root_group.sh b/bin/hardening/10.3_default_root_group.sh index a01fa34..d534d35 100755 --- a/bin/hardening/10.3_default_root_group.sh +++ b/bin/hardening/10.3_default_root_group.sh @@ -6,7 +6,7 @@ # # -# 10.1.3 Set Password Expiring Warning Days (Scored) +# 10.3 Set Default Group for root Account (Scored) # set -e # One error, it's over diff --git a/bin/hardening/10.5_lock_inactive_user_account.sh b/bin/hardening/10.5_lock_inactive_user_account.sh index 6d82eff..9c025ec 100755 --- a/bin/hardening/10.5_lock_inactive_user_account.sh +++ b/bin/hardening/10.5_lock_inactive_user_account.sh @@ -6,7 +6,7 @@ # # -# 10.4 Set Default umask for Users (Scored) +# 10.5 Lock Inactive User Accounts (Scored) # set -e # One error, it's over diff --git a/bin/hardening/13.1_remove_empry_password_field.sh b/bin/hardening/13.1_remove_empty_password_field.sh similarity index 90% rename from bin/hardening/13.1_remove_empry_password_field.sh rename to bin/hardening/13.1_remove_empty_password_field.sh index db05a19..6c17732 100755 --- a/bin/hardening/13.1_remove_empry_password_field.sh +++ b/bin/hardening/13.1_remove_empty_password_field.sh @@ -17,7 +17,7 @@ FILE='/etc/shadow' # This function will be called if the script status is on enabled / audit mode audit () { info "Checking if accounts have empty passwords" - RESULT=$(/bin/cat $FILE | /usr/bin/awk -F: '($2 == "" ) { print $1 }') + RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }') if [ ! -z "$RESULT" ]; then crit "Some accounts have empty passwords" crit $RESULT @@ -28,7 +28,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - RESULT=$(/bin/cat $FILE | /usr/bin/awk -F: '($2 == "" ) { print $1 }') + RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }') if [ ! -z "$RESULT" ]; then warn "Some accounts have empty passwords" for ACCOUNT in $RESULT; do diff --git a/bin/hardening/13.2_remove_legacy_passwd_entries.sh b/bin/hardening/13.2_remove_legacy_passwd_entries.sh new file mode 100755 index 0000000..1ad0e75 --- /dev/null +++ b/bin/hardening/13.2_remove_legacy_passwd_entries.sh @@ -0,0 +1,61 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/passwd' +RESULT='' + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if accounts have empty passwords" + if grep '^+:' $FILE -q; then + RESULT=$(grep '^+:' $FILE) + crit "Some accounts have legacy password entry" + crit $RESULT + else + ok "All accounts have a valid password entry format" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if grep '^+:' $FILE -q; then + RESULT=$(grep '^+:' $FILE) + warn "Some accounts have legacy password entry" + for LINE in $RESULT; do + info "Removing $LINE from $FILE" + delete_line_in_file $FILE $LINE + done + else + ok "All accounts have a valid password entry format" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.3_remove_legacy_shadow_entries.sh b/bin/hardening/13.3_remove_legacy_shadow_entries.sh new file mode 100755 index 0000000..e272c64 --- /dev/null +++ b/bin/hardening/13.3_remove_legacy_shadow_entries.sh @@ -0,0 +1,61 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/shadow' +RESULT='' + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if accounts have empty passwords" + if grep '^+:' $FILE -q; then + RESULT=$(grep '^+:' $FILE) + crit "Some accounts have legacy password entry" + crit $RESULT + else + ok "All accounts have a valid password entry format" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if grep '^+:' $FILE -q; then + RESULT=$(grep '^+:' $FILE) + warn "Some accounts have legacy password entry" + for LINE in $RESULT; do + info "Removing $LINE from $FILE" + delete_line_in_file $FILE $LINE + done + else + ok "All accounts have a valid password entry format" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.4_remove_legacy_group_entries.sh b/bin/hardening/13.4_remove_legacy_group_entries.sh new file mode 100755 index 0000000..64c7cd4 --- /dev/null +++ b/bin/hardening/13.4_remove_legacy_group_entries.sh @@ -0,0 +1,61 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/group' +RESULT='' + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if accounts have empty passwords" + if grep '^+:' $FILE -q; then + RESULT=$(grep '^+:' $FILE) + crit "Some accounts have legacy password entry" + crit $RESULT + else + ok "All accounts have a valid password entry format" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if grep '^+:' $FILE -q; then + RESULT=$(grep '^+:' $FILE) + warn "Some accounts have legacy password entry" + for LINE in $RESULT; do + info "Removing $LINE from $FILE" + delete_line_in_file $FILE $LINE + done + else + ok "All accounts have a valid password entry format" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.5_find_0_uid_non_root_account.sh b/bin/hardening/13.5_find_0_uid_non_root_account.sh new file mode 100755 index 0000000..e6ab002 --- /dev/null +++ b/bin/hardening/13.5_find_0_uid_non_root_account.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.5 Verify No UID 0 Accounts Exist Other Than root (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +FILE='/etc/passwd' +RESULT='' + +# This function will be called if the script status is on enabled / audit mode +audit () { + info "Checking if accounts have uid 0" + RESULT=$(cat $FILE | awk -F: '($3 == 0 && $1!="root" ) { print $1 }') + for ACCOUNT in $RESULT; do + debug "Account : $ACCOUNT" + debug "Exceptions : $EXCEPTIONS" + debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT" + if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then + debug "$ACCOUNT is confirmed as an exception" + RESULT=$(sed "s!$ACCOUNT!!" <<< "$RESULT") + else + debug "$ACCOUNT not found in exceptions" + fi + done + if [ ! -z "$RESULT" ]; then + crit "Some accounts have uid 0" + crit $RESULT + else + ok "No account with suid 0 apart root" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Removing accounts with uid 0 may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + if [ -z "$EXCEPTIONS" ]; then + EXCEPTIONS="@" + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.6_sanitize_root_path.sh b/bin/hardening/13.6_sanitize_root_path.sh new file mode 100755 index 0000000..73f03ea --- /dev/null +++ b/bin/hardening/13.6_sanitize_root_path.sh @@ -0,0 +1,84 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.6 Ensure root PATH Integrity (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ "`echo $PATH | grep :: `" != "" ]; then + crit "Empty Directory in PATH (::)" + ERRORS=$((ERRORS+1)) + fi + if [ "`echo $PATH | grep :$`" != "" ]; then + crit "Trailing : in PATH $PATH" + ERRORS=$((ERRORS+1)) + fi + FORMATTED_PATH=$(echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g') + set -- $FORMATTED_PATH + while [ "${1:-}" != "" ]; do + if [ "$1" = "." ]; then + crit "PATH contains ." + ERRORS=$((ERRORS+1)) + else + if [ -d $1 ]; then + dirperm=$(ls -ldH $1 | cut -f1 -d" ") + if [ $(echo $dirperm | cut -c6 ) != "-" ]; then + crit "Group Write permission set on directory $1" + ERRORS=$((ERRORS+1)) + fi + if [ $(echo $dirperm | cut -c9 ) != "-" ]; then + crit "Other Write permission set on directory $1" + ERRORS=$((ERRORS+1)) + fi + dirown=$(ls -ldH $1 | awk '{print $3}') + if [ "$dirown" != "root" ] ; then + crit "$1 is not owned by root" + ERRORS=$((ERRORS+1)) + fi + else + crit "$1 is not a directory" + ERRORS=$((ERRORS+1)) + fi + fi + shift + done + + if [ $ERRORS = 0 ]; then + ok "root PATH is secure" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Editing items from PATH may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardenning.sh b/bin/hardenning.sh new file mode 100644 index 0000000..d717d9b --- /dev/null +++ b/bin/hardenning.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +# CIs Deb +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# Main script : Execute hardening considering configuration +# + +# Execute blindly binaries +# Audit mode + +# ls | sort -n diff --git a/etc/conf.d/13.1_remove_empry_password_field.cfg b/etc/conf.d/13.1_remove_empty_password_field.cfg similarity index 100% rename from etc/conf.d/13.1_remove_empry_password_field.cfg rename to etc/conf.d/13.1_remove_empty_password_field.cfg diff --git a/etc/conf.d/13.2_remove_legacy_passwd_entries.cfg b/etc/conf.d/13.2_remove_legacy_passwd_entries.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.2_remove_legacy_passwd_entries.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/13.3_remove_legacy_shadow_entries.cfg b/etc/conf.d/13.3_remove_legacy_shadow_entries.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.3_remove_legacy_shadow_entries.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/13.4_remove_legacy_group_entries.cfg b/etc/conf.d/13.4_remove_legacy_group_entries.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.4_remove_legacy_group_entries.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/13.5_find_0_uid_non_root_account.cfg b/etc/conf.d/13.5_find_0_uid_non_root_account.cfg new file mode 100644 index 0000000..9b61b4a --- /dev/null +++ b/etc/conf.d/13.5_find_0_uid_non_root_account.cfg @@ -0,0 +1,4 @@ +# Configuration for script of same name +status=enabled +# Put here valid accounts with uid 0 separated by spaces +EXCEPTIONS="" diff --git a/etc/conf.d/13.6_sanitize_root_path.cfg b/etc/conf.d/13.6_sanitize_root_path.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.6_sanitize_root_path.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/lib/utils.sh b/lib/utils.sh index adc3e30..e46a09f 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -125,7 +125,7 @@ add_line_file_before_pattern() { backup_file "$FILE" debug "Inserting $LINE before $PATTERN in $FILE" - PATTERN=$(sed 's@/@\/@g' <<< $PATTERN) + PATTERN=$(sed 's@/@\\\/@g' <<< $PATTERN) debug "sed -i '/$PATTERN/i $LINE' $FILE" sed -i "/$PATTERN/i $LINE" $FILE FNRET=0 @@ -138,7 +138,7 @@ replace_in_file() { backup_file "$FILE" debug "Replacing $SOURCE to $DESTINATION in $FILE" - SOURCE=$(sed 's@/@\/@g' <<< $SOURCE) + SOURCE=$(sed 's@/@\\\/@g' <<< $PATTERN) debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE" sed -i "s/$SOURCE/$DESTINATION/g" $FILE FNRET=0 @@ -150,7 +150,7 @@ delete_line_in_file() { backup_file "$FILE" debug "Deleting lines from $FILE containing $PATTERN" - PATTERN=$(sed 's@/@\/@g' <<< $PATTERN) + PATTERN=$(sed 's@/@\\\/@g' <<< $PATTERN) debug "sed -i '/$PATTERN/d' $FILE" sed -i "/$PATTERN/d" $FILE FNRET=0 From f82a4382469ad130b92a08b156ff5937b23158a9 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Sat, 16 Apr 2016 18:11:53 +0200 Subject: [PATCH 55/64] 13.7_check_user_dir_perm.sh --- bin/{hardenning.sh => hardening.sh} | 0 bin/hardening/13.7_check_user_dir_perm.sh | 101 ++++++++++++++++++++++ etc/conf.d/13.7_check_user_dir_perm.cfg | 4 + 3 files changed, 105 insertions(+) rename bin/{hardenning.sh => hardening.sh} (100%) create mode 100755 bin/hardening/13.7_check_user_dir_perm.sh create mode 100644 etc/conf.d/13.7_check_user_dir_perm.cfg diff --git a/bin/hardenning.sh b/bin/hardening.sh similarity index 100% rename from bin/hardenning.sh rename to bin/hardening.sh diff --git a/bin/hardening/13.7_check_user_dir_perm.sh b/bin/hardening/13.7_check_user_dir_perm.sh new file mode 100755 index 0000000..bad4299 --- /dev/null +++ b/bin/hardening/13.7_check_user_dir_perm.sh @@ -0,0 +1,101 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.7 Check Permissions on User Home Directories (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 +PERMISSION="750" + +# This function will be called if the script status is on enabled / audit mode +audit () { + for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $dir" + debug "Exceptions : $EXCEPTIONS" + debug "echo \"$EXCEPTIONS\" | grep -q $dir" + if echo "$EXCEPTIONS" | grep -q $dir; then + debug "$dir is confirmed as an exception" + RESULT=$(sed "s!$dir!!" <<< "$RESULT") + else + debug "$dir not found in exceptions" + fi + if [ -d $dir ]; then + dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ") + if [ $(echo $dirperm | cut -c6 ) != "-" ]; then + crit "Group Write permission set on directory $dir" + fi + if [ $(echo $dirperm | cut -c8 ) != "-" ]; then + crit "Other Read permission set on directory $dir" + fi + if [ $(echo $dirperm | cut -c9 ) != "-" ]; then + crit "Other Write permission set on directory $dir" + fi + if [ $(echo $dirperm | cut -c10 ) != "-" ]; then + crit "Other Execute permission set on directory $dir" + fi + fi + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for dir in $(cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $dir" + debug "Exceptions : $EXCEPTIONS" + debug "echo \"$EXCEPTIONS\" | grep -q $dir" + if echo "$EXCEPTIONS" | grep -q $dir; then + debug "$dir is confirmed as an exception" + RESULT=$(sed "s!$dir!!" <<< "$RESULT") + else + debug "$dir not found in exceptions" + fi + if [ -d $dir ]; then + dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ") + if [ $(echo $dirperm | cut -c6 ) != "-" ]; then + warn "Group Write permission set on directory $dir" + chmod g-w $dir + fi + if [ $(echo $dirperm | cut -c8 ) != "-" ]; then + warn "Other Read permission set on directory $dir" + chmod o-r $dir + fi + if [ $(echo $dirperm | cut -c9 ) != "-" ]; then + warn "Other Write permission set on directory $dir" + chmod o-w $dir + fi + if [ $(echo $dirperm | cut -c10 ) != "-" ]; then + warn "Other Execute permission set on directory $dir" + chmod o-x $dir + fi + fi + done +} + +# This function will check config parameters required +check_config() { + if [ -z "$EXCEPTIONS" ]; then + EXCEPTIONS="@" + fi +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/13.7_check_user_dir_perm.cfg b/etc/conf.d/13.7_check_user_dir_perm.cfg new file mode 100644 index 0000000..cfad1b4 --- /dev/null +++ b/etc/conf.d/13.7_check_user_dir_perm.cfg @@ -0,0 +1,4 @@ +# Configuration for script of same name +status=enabled +# Put here user home directories exceptions, separated by spaces +EXCEPTIONS="" From 83cd95756d1facbe89e387fa4996a1c11e0c51cb Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Sat, 16 Apr 2016 18:32:09 +0200 Subject: [PATCH 56/64] 13.8_check_user_dot_file_perm.sh 13.9_set_perm_on_user_netrc.sh --- bin/hardening/13.7_check_user_dir_perm.sh | 10 ++- .../13.8_check_user_dot_file_perm.sh | 77 +++++++++++++++++++ bin/hardening/13.9_set_perm_on_user_netrc.sh | 70 +++++++++++++++++ etc/conf.d/13.8_check_user_dot_file_perm.cfg | 2 + etc/conf.d/13.9_set_perm_on_user_netrc.cfg | 2 + 5 files changed, 160 insertions(+), 1 deletion(-) create mode 100755 bin/hardening/13.8_check_user_dot_file_perm.sh create mode 100755 bin/hardening/13.9_set_perm_on_user_netrc.sh create mode 100644 etc/conf.d/13.8_check_user_dot_file_perm.cfg create mode 100644 etc/conf.d/13.9_set_perm_on_user_netrc.cfg diff --git a/bin/hardening/13.7_check_user_dir_perm.sh b/bin/hardening/13.7_check_user_dir_perm.sh index bad4299..bd8eb5f 100755 --- a/bin/hardening/13.7_check_user_dir_perm.sh +++ b/bin/hardening/13.7_check_user_dir_perm.sh @@ -13,7 +13,6 @@ set -e # One error, it's over set -u # One variable unset, it's over ERRORS=0 -PERMISSION="750" # This function will be called if the script status is on enabled / audit mode audit () { @@ -31,18 +30,27 @@ audit () { dirperm=$(/bin/ls -ld $dir | cut -f1 -d" ") if [ $(echo $dirperm | cut -c6 ) != "-" ]; then crit "Group Write permission set on directory $dir" + ERRORS=$((ERRORS+1)) fi if [ $(echo $dirperm | cut -c8 ) != "-" ]; then crit "Other Read permission set on directory $dir" + ERRORS=$((ERRORS+1)) fi if [ $(echo $dirperm | cut -c9 ) != "-" ]; then crit "Other Write permission set on directory $dir" + ERRORS=$((ERRORS+1)) fi if [ $(echo $dirperm | cut -c10 ) != "-" ]; then crit "Other Execute permission set on directory $dir" + ERRORS=$((ERRORS+1)) fi fi done + + if [ $ERRORS = 0 ]; then + ok "No incorrect permissions on home directories" + fi + } # This function will be called if the script status is on enabled mode diff --git a/bin/hardening/13.8_check_user_dot_file_perm.sh b/bin/hardening/13.8_check_user_dot_file_perm.sh new file mode 100755 index 0000000..0f2024d --- /dev/null +++ b/bin/hardening/13.8_check_user_dot_file_perm.sh @@ -0,0 +1,77 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.8 Check User Dot File Permissions (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $DIR" + for FILE in $DIR/.[A-Za-z0-9]*; do + if [ ! -h "$FILE" -a -f "$FILE" ]; then + FILEPERM=$(ls -ld $FILE | cut -f1 -d" ") + if [ $(echo $FILEPERM | cut -c6) != "-" ]; then + crit "Group Write permission set on FILE $FILE" + ERRORS=$((ERRORS+1)) + fi + if [ $(echo $FILEPERM | cut -c9) != "-" ]; then + crit "Other Write permission set on FILE $FILE" + ERRORS=$((ERRORS+1)) + fi + fi + done + done + + if [ $ERRORS = 0 ]; then + ok "Dot file permission in users directories are correct" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + for FILE in $DIR/.[A-Za-z0-9]*; do + if [ ! -h "$FILE" -a -f "$FILE" ]; then + FILEPERM=$(ls -ld $FILE | cut -f1 -d" ") + if [ $(echo $FILEPERM | cut -c6) != "-" ]; then + warn "Group Write permission set on FILE $FILE" + chmod g-w $FILE + fi + if [ $(echo $FILEPERM | cut -c9) != "-" ]; then + warn "Other Write permission set on FILE $FILE" + chmod o-w $FILE + fi + fi + done + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.9_set_perm_on_user_netrc.sh b/bin/hardening/13.9_set_perm_on_user_netrc.sh new file mode 100755 index 0000000..420e2f3 --- /dev/null +++ b/bin/hardening/13.9_set_perm_on_user_netrc.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.8 Check User Dot File Permissions (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 +PERMISSIONS="600" + +# This function will be called if the script status is on enabled / audit mode +audit () { + for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $DIR" + for FILE in $DIR/.netrc; do + if [ ! -h "$FILE" -a -f "$FILE" ]; then + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + crit "$FILE has not $PERMISSIONS permissions set" + fi + fi + done + done +} + +# This function will be called if the script status is on enabled mode +apply () { + for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $DIR" + for FILE in $DIR/.netrc; do + if [ ! -h "$FILE" -a -f "$FILE" ]; then + has_file_correct_permissions $FILE $PERMISSIONS + if [ $FNRET = 0 ]; then + ok "$FILE has correct permissions" + else + warn "$FILE has not $PERMISSIONS permissions set" + chmod 600 $FILE + fi + fi + done + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/13.8_check_user_dot_file_perm.cfg b/etc/conf.d/13.8_check_user_dot_file_perm.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.8_check_user_dot_file_perm.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/13.9_set_perm_on_user_netrc.cfg b/etc/conf.d/13.9_set_perm_on_user_netrc.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.9_set_perm_on_user_netrc.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From fbba59cc6757569d473a47bd3482c5b6063d1edc Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Sat, 16 Apr 2016 18:55:44 +0200 Subject: [PATCH 57/64] 13.10_find_user_rhosts_files.sh --- bin/hardening.sh | 2 +- bin/hardening/13.10_find_user_rhosts_files.sh | 56 +++++++++++++++++++ bin/hardening/13.9_set_perm_on_user_netrc.sh | 10 +++- etc/conf.d/13.10_find_user_rhosts_files.cfg | 2 + 4 files changed, 67 insertions(+), 3 deletions(-) create mode 100755 bin/hardening/13.10_find_user_rhosts_files.sh create mode 100644 etc/conf.d/13.10_find_user_rhosts_files.cfg diff --git a/bin/hardening.sh b/bin/hardening.sh index d717d9b..1445dd0 100644 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -13,4 +13,4 @@ # Execute blindly binaries # Audit mode -# ls | sort -n +# ls | sort -V diff --git a/bin/hardening/13.10_find_user_rhosts_files.sh b/bin/hardening/13.10_find_user_rhosts_files.sh new file mode 100755 index 0000000..9e01752 --- /dev/null +++ b/bin/hardening/13.10_find_user_rhosts_files.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.10 Check for Presence of User .rhosts Files (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $DIR" + for FILE in $DIR/.rhosts; do + if [ ! -h "$FILE" -a -f "$FILE" ]; then + crit "$FILE present" + ERRORS=$((ERRORS+1)) + fi + done + done + + if [ $ERRORS = 0 ]; then + ok "No .rhosts present in users files" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "If the audit returns something, please check with the user why he has this file" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.9_set_perm_on_user_netrc.sh b/bin/hardening/13.9_set_perm_on_user_netrc.sh index 420e2f3..553e740 100755 --- a/bin/hardening/13.9_set_perm_on_user_netrc.sh +++ b/bin/hardening/13.9_set_perm_on_user_netrc.sh @@ -6,14 +6,14 @@ # # -# 13.8 Check User Dot File Permissions (Scored) +# 13.9 Check Permissions on User .netrc Files (Scored) # set -e # One error, it's over set -u # One variable unset, it's over -ERRORS=0 PERMISSIONS="600" +ERRORS=0 # This function will be called if the script status is on enabled / audit mode audit () { @@ -26,10 +26,16 @@ audit () { ok "$FILE has correct permissions" else crit "$FILE has not $PERMISSIONS permissions set" + ERRORS=$((ERRORS+1)) fi fi done done + + if [ $ERRORS = 0 ]; then + ok "permission $PERMISSIONS set on .netrc users files" + fi + } # This function will be called if the script status is on enabled mode diff --git a/etc/conf.d/13.10_find_user_rhosts_files.cfg b/etc/conf.d/13.10_find_user_rhosts_files.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.10_find_user_rhosts_files.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From a38aa6f03935089e5cf891b1397a381825d13472 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Sun, 17 Apr 2016 18:58:25 +0200 Subject: [PATCH 58/64] 13.12_users_valid_homedir.sh 13.11_find_passwd_group_inconsistencies.sh 13.13_check_user_homedir_ownership.sh --- ...13.11_find_passwd_group_inconsistencies.sh | 65 +++++++++++++++++++ bin/hardening/13.12_users_valid_homedir.sh | 56 ++++++++++++++++ .../13.13_check_user_homedir_ownership.sh | 65 +++++++++++++++++++ etc/conf.d/1.1_install_updates.cfg | 2 +- ...3.11_find_passwd_group_inconsistencies.cfg | 2 + etc/conf.d/13.12_users_valid_homedir.cfg | 2 + .../13.13_check_user_homedir_ownership.cfg | 2 + 7 files changed, 193 insertions(+), 1 deletion(-) create mode 100755 bin/hardening/13.11_find_passwd_group_inconsistencies.sh create mode 100755 bin/hardening/13.12_users_valid_homedir.sh create mode 100755 bin/hardening/13.13_check_user_homedir_ownership.sh create mode 100644 etc/conf.d/13.11_find_passwd_group_inconsistencies.cfg create mode 100644 etc/conf.d/13.12_users_valid_homedir.cfg create mode 100644 etc/conf.d/13.13_check_user_homedir_ownership.cfg diff --git a/bin/hardening/13.11_find_passwd_group_inconsistencies.sh b/bin/hardening/13.11_find_passwd_group_inconsistencies.sh new file mode 100755 index 0000000..cac5469 --- /dev/null +++ b/bin/hardening/13.11_find_passwd_group_inconsistencies.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.11 Check Groups in /etc/passwd (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + + for GROUP in $(cut -s -d: -f4 /etc/passwd | sort -u ); do + debug "Working on group $GROUP" + if ! grep -q -P "^.*?:[^:]*:$GROUP:" /etc/group; then + crit "Group $GROUP is referenced by /etc/passwd but does not exist in /etc/group" + ERRORS=$(($ERRORS+1)) + fi + done + + if [ $ERRORS = 0 ]; then + ok "passwd and group Groups are consistent" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + for GROUP in $(cut -s -d: -f4 /etc/passwd | sort -u ); do + debug "Working on group $GROUP" + if ! grep -q -P "^.*?:[^:]*:$GROUP:" /etc/group; then + crit "Group $GROUP is referenced by /etc/passwd but does not exist in /etc/group" + ERRORS=$(($ERRORS+1)) + fi + done + + if [ $ERRORS != 0 ]; then + warn "Consider creating missing group" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.12_users_valid_homedir.sh b/bin/hardening/13.12_users_valid_homedir.sh new file mode 100755 index 0000000..e94db47 --- /dev/null +++ b/bin/hardening/13.12_users_valid_homedir.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.12 Check That Users Are Assigned Valid Home Directories (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do + if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" ]; then + crit "The home directory ($DIR) of user $USER does not exist." + ERRORS=$((ERRORS+1)) + fi + done + + if [ $ERRORS = 0 ]; then + ok "All home directories exists" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $ERRORS != 0 ]; then + warn "Consider creating missing home directories" + fi + : +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.13_check_user_homedir_ownership.sh b/bin/hardening/13.13_check_user_homedir_ownership.sh new file mode 100755 index 0000000..28e3aea --- /dev/null +++ b/bin/hardening/13.13_check_user_homedir_ownership.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.13 Check User Home Directory Ownership (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + + cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do + if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then + OWNER=$(stat -L -c "%U" "$DIR") + if [ "$OWNER" != "$USER" ]; then + crit "The home directory ($DIR) of user $USER is owned by $OWNER." + ERRORS=$(($ERRORS+1)) + fi + fi + done + + if [ $ERRORS = 0 ]; then + ok "All home directories have correct ownership" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do + if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then + OWNER=$(stat -L -c "%U" "$DIR") + if [ "$OWNER" != "$USER" ]; then + warn "The home directory ($DIR) of user $USER is owned by $OWNER." + chown $USER $DIR + fi + fi + done +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/1.1_install_updates.cfg b/etc/conf.d/1.1_install_updates.cfg index acee522..e1e4502 100644 --- a/etc/conf.d/1.1_install_updates.cfg +++ b/etc/conf.d/1.1_install_updates.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=disabled +status=enabled diff --git a/etc/conf.d/13.11_find_passwd_group_inconsistencies.cfg b/etc/conf.d/13.11_find_passwd_group_inconsistencies.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.11_find_passwd_group_inconsistencies.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/13.12_users_valid_homedir.cfg b/etc/conf.d/13.12_users_valid_homedir.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.12_users_valid_homedir.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/13.13_check_user_homedir_ownership.cfg b/etc/conf.d/13.13_check_user_homedir_ownership.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.13_check_user_homedir_ownership.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From aad764bb1b133c16106171b51b9b09de584dfa3b Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Sun, 17 Apr 2016 19:53:47 +0200 Subject: [PATCH 59/64] 13.14_check_duplicate_uid.sh 13.15_check_duplicate_gid.sh^C --- ...13.11_find_passwd_group_inconsistencies.sh | 14 +---- bin/hardening/13.12_users_valid_homedir.sh | 12 ++-- .../13.13_check_user_homedir_ownership.sh | 10 +++- bin/hardening/13.14_check_duplicate_uid.sh | 58 +++++++++++++++++++ bin/hardening/13.15_check_duplicate_gid.sh | 58 +++++++++++++++++++ etc/conf.d/13.14_check_duplicate_uid.cfg | 2 + etc/conf.d/13.15_check_duplicate_gid.cfg | 2 + 7 files changed, 136 insertions(+), 20 deletions(-) create mode 100755 bin/hardening/13.14_check_duplicate_uid.sh create mode 100755 bin/hardening/13.15_check_duplicate_gid.sh create mode 100644 etc/conf.d/13.14_check_duplicate_uid.cfg create mode 100644 etc/conf.d/13.15_check_duplicate_gid.cfg diff --git a/bin/hardening/13.11_find_passwd_group_inconsistencies.sh b/bin/hardening/13.11_find_passwd_group_inconsistencies.sh index cac5469..d16fed3 100755 --- a/bin/hardening/13.11_find_passwd_group_inconsistencies.sh +++ b/bin/hardening/13.11_find_passwd_group_inconsistencies.sh @@ -21,7 +21,7 @@ audit () { debug "Working on group $GROUP" if ! grep -q -P "^.*?:[^:]*:$GROUP:" /etc/group; then crit "Group $GROUP is referenced by /etc/passwd but does not exist in /etc/group" - ERRORS=$(($ERRORS+1)) + ERRORS=$((ERRORS+1)) fi done @@ -32,17 +32,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - for GROUP in $(cut -s -d: -f4 /etc/passwd | sort -u ); do - debug "Working on group $GROUP" - if ! grep -q -P "^.*?:[^:]*:$GROUP:" /etc/group; then - crit "Group $GROUP is referenced by /etc/passwd but does not exist in /etc/group" - ERRORS=$(($ERRORS+1)) - fi - done - - if [ $ERRORS != 0 ]; then - warn "Consider creating missing group" - fi + info "Solving passwd and group consistency automatically may seriously harm your system, report only here" } # This function will check config parameters required diff --git a/bin/hardening/13.12_users_valid_homedir.sh b/bin/hardening/13.12_users_valid_homedir.sh index e94db47..e0fd8e9 100755 --- a/bin/hardening/13.12_users_valid_homedir.sh +++ b/bin/hardening/13.12_users_valid_homedir.sh @@ -16,7 +16,12 @@ ERRORS=0 # This function will be called if the script status is on enabled / audit mode audit () { - cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do + RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }') + for LINE in $RESULT; do + debug "Working on $LINE" + USER=$(awk -F: {'print $1'} <<< $LINE) + USERID=$(awk -F: {'print $2'} <<< $LINE) + DIR=$(awk -F: {'print $3'} <<< $LINE) if [ $USERID -ge 1000 -a ! -d "$DIR" -a $USER != "nfsnobody" -a $USER != "nobody" ]; then crit "The home directory ($DIR) of user $USER does not exist." ERRORS=$((ERRORS+1)) @@ -30,10 +35,7 @@ audit () { # This function will be called if the script status is on enabled mode apply () { - if [ $ERRORS != 0 ]; then - warn "Consider creating missing home directories" - fi - : + info "Modifying home directories may seriously harm your system, report only here" } # This function will check config parameters required diff --git a/bin/hardening/13.13_check_user_homedir_ownership.sh b/bin/hardening/13.13_check_user_homedir_ownership.sh index 28e3aea..6adc24e 100755 --- a/bin/hardening/13.13_check_user_homedir_ownership.sh +++ b/bin/hardening/13.13_check_user_homedir_ownership.sh @@ -16,13 +16,17 @@ ERRORS=0 # This function will be called if the script status is on enabled / audit mode audit () { - - cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read USER USERID DIR; do + RESULT=$(cat /etc/passwd | awk -F: '{ print $1 ":" $3 ":" $6 }') + for LINE in $RESULT; do + debug "Working on $LINE" + USER=$(awk -F: {'print $1'} <<< $LINE) + USERID=$(awk -F: {'print $2'} <<< $LINE) + DIR=$(awk -F: {'print $3'} <<< $LINE) if [ $USERID -ge 500 -a -d "$DIR" -a $USER != "nfsnobody" ]; then OWNER=$(stat -L -c "%U" "$DIR") if [ "$OWNER" != "$USER" ]; then crit "The home directory ($DIR) of user $USER is owned by $OWNER." - ERRORS=$(($ERRORS+1)) + ERRORS=$((ERRORS+1)) fi fi done diff --git a/bin/hardening/13.14_check_duplicate_uid.sh b/bin/hardening/13.14_check_duplicate_uid.sh new file mode 100755 index 0000000..fc79b7e --- /dev/null +++ b/bin/hardening/13.14_check_duplicate_uid.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.14 Check for Duplicate UIDs (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + RESULT=$(cat /etc/passwd | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} ) + for LINE in $RESULT; do + debug "Working on line $LINE" + OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE) + USERID=$(awk -F: {'print $2'} <<< $LINE) + if [ $OCC_NUMBER -gt 1 ]; then + USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERID /etc/passwd | xargs) + ERRORS=$((ERRORS+1)) + crit "Duplicate UID ($USERID): ${USERS}" + fi + done + + if [ $ERRORS = 0 ]; then + ok "No duplicate UIDs" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Editing automatically uids may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.15_check_duplicate_gid.sh b/bin/hardening/13.15_check_duplicate_gid.sh new file mode 100755 index 0000000..e74ec56 --- /dev/null +++ b/bin/hardening/13.15_check_duplicate_gid.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.15 Check for Duplicate GIDs (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + RESULT=$(cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} ) + for LINE in $RESULT; do + debug "Working on line $LINE" + OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE) + GROUPID=$(awk -F: {'print $2'} <<< $LINE) + if [ $OCC_NUMBER -gt 1 ]; then + USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPID /etc/passwd | xargs) + ERRORS=$((ERRORS+1)) + crit "Duplicate UID ($GROUPID): ${USERS}" + fi + done + + if [ $ERRORS = 0 ]; then + ok "No duplicate GIDss" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Editing automatically gids may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/13.14_check_duplicate_uid.cfg b/etc/conf.d/13.14_check_duplicate_uid.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.14_check_duplicate_uid.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/13.15_check_duplicate_gid.cfg b/etc/conf.d/13.15_check_duplicate_gid.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.15_check_duplicate_gid.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From e1337d76df2759c2f652e34573f5806e50be5f2d Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Sun, 17 Apr 2016 22:30:20 +0200 Subject: [PATCH 60/64] 13.16_check_duplicate_username.sh 13.17_check_duplicate_groupname.sh 13.18_find_user_netrc_files.sh 13.19_find_user_forward_files.sh 13.20_shadow_group_empty.sh --- bin/hardening/13.10_find_user_rhosts_files.sh | 5 +- bin/hardening/13.15_check_duplicate_gid.sh | 4 +- .../13.16_check_duplicate_username.sh | 58 ++++++++++++++++ .../13.17_check_duplicate_groupname.sh | 58 ++++++++++++++++ bin/hardening/13.18_find_user_netrc_files.sh | 57 ++++++++++++++++ .../13.19_find_user_forward_files.sh | 57 ++++++++++++++++ bin/hardening/13.20_shadow_group_empty.sh | 67 +++++++++++++++++++ etc/conf.d/13.16_check_duplicate_username.cfg | 2 + .../13.17_check_duplicate_groupname.cfg | 2 + etc/conf.d/13.18_find_user_netrc_files.cfg | 2 + etc/conf.d/13.19_find_user_forward_files.cfg | 2 + etc/conf.d/13.20_shadow_group_empty.cfg | 2 + 12 files changed, 312 insertions(+), 4 deletions(-) create mode 100755 bin/hardening/13.16_check_duplicate_username.sh create mode 100755 bin/hardening/13.17_check_duplicate_groupname.sh create mode 100755 bin/hardening/13.18_find_user_netrc_files.sh create mode 100755 bin/hardening/13.19_find_user_forward_files.sh create mode 100755 bin/hardening/13.20_shadow_group_empty.sh create mode 100644 etc/conf.d/13.16_check_duplicate_username.cfg create mode 100644 etc/conf.d/13.17_check_duplicate_groupname.cfg create mode 100644 etc/conf.d/13.18_find_user_netrc_files.cfg create mode 100644 etc/conf.d/13.19_find_user_forward_files.cfg create mode 100644 etc/conf.d/13.20_shadow_group_empty.cfg diff --git a/bin/hardening/13.10_find_user_rhosts_files.sh b/bin/hardening/13.10_find_user_rhosts_files.sh index 9e01752..8fa7ea9 100755 --- a/bin/hardening/13.10_find_user_rhosts_files.sh +++ b/bin/hardening/13.10_find_user_rhosts_files.sh @@ -13,12 +13,13 @@ set -e # One error, it's over set -u # One variable unset, it's over ERRORS=0 +FILENAME=".rhosts" # This function will be called if the script status is on enabled / audit mode audit () { for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do debug "Working on $DIR" - for FILE in $DIR/.rhosts; do + for FILE in $DIR/$FILENAME; do if [ ! -h "$FILE" -a -f "$FILE" ]; then crit "$FILE present" ERRORS=$((ERRORS+1)) @@ -27,7 +28,7 @@ audit () { done if [ $ERRORS = 0 ]; then - ok "No .rhosts present in users files" + ok "No $FILENAME present in users files" fi } diff --git a/bin/hardening/13.15_check_duplicate_gid.sh b/bin/hardening/13.15_check_duplicate_gid.sh index e74ec56..b07b5b7 100755 --- a/bin/hardening/13.15_check_duplicate_gid.sh +++ b/bin/hardening/13.15_check_duplicate_gid.sh @@ -24,12 +24,12 @@ audit () { if [ $OCC_NUMBER -gt 1 ]; then USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPID /etc/passwd | xargs) ERRORS=$((ERRORS+1)) - crit "Duplicate UID ($GROUPID): ${USERS}" + crit "Duplicate GID ($GROUPID): ${USERS}" fi done if [ $ERRORS = 0 ]; then - ok "No duplicate GIDss" + ok "No duplicate GIDs" fi } diff --git a/bin/hardening/13.16_check_duplicate_username.sh b/bin/hardening/13.16_check_duplicate_username.sh new file mode 100755 index 0000000..172198b --- /dev/null +++ b/bin/hardening/13.16_check_duplicate_username.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.16 Check for Duplicate User Names (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + RESULT=$(cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} ) + for LINE in $RESULT; do + debug "Working on line $LINE" + OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE) + USERNAME=$(awk -F: {'print $2'} <<< $LINE) + if [ $OCC_NUMBER -gt 1 ]; then + USERS=$(awk -F: '($3 == n) { print $1 }' n=$USERNAME /etc/passwd | xargs) + ERRORS=$((ERRORS+1)) + crit "Duplicate username $USERNAME" + fi + done + + if [ $ERRORS = 0 ]; then + ok "No duplicate usernames" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Editing automatically username may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.17_check_duplicate_groupname.sh b/bin/hardening/13.17_check_duplicate_groupname.sh new file mode 100755 index 0000000..ab1e36b --- /dev/null +++ b/bin/hardening/13.17_check_duplicate_groupname.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.17 Check for Duplicate Group Names (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 + +# This function will be called if the script status is on enabled / audit mode +audit () { + RESULT=$(cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | awk {'print $1":"$2'} ) + for LINE in $RESULT; do + debug "Working on line $LINE" + OCC_NUMBER=$(awk -F: {'print $1'} <<< $LINE) + GROUPNAME=$(awk -F: {'print $2'} <<< $LINE) + if [ $OCC_NUMBER -gt 1 ]; then + USERS=$(awk -F: '($3 == n) { print $1 }' n=$GROUPNAME /etc/passwd | xargs) + ERRORS=$((ERRORS+1)) + crit "Duplicate groupname $GROUPNAME" + fi + done + + if [ $ERRORS = 0 ]; then + ok "No duplicate groupnames" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "Editing automatically groupname may seriously harm your system, report only here" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.18_find_user_netrc_files.sh b/bin/hardening/13.18_find_user_netrc_files.sh new file mode 100755 index 0000000..64986ce --- /dev/null +++ b/bin/hardening/13.18_find_user_netrc_files.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.18 Check for Presence of User .netrc Files (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 +FILENAME='.netrc' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $DIR" + for FILE in $DIR/$FILENAME; do + if [ ! -h "$FILE" -a -f "$FILE" ]; then + crit "$FILE present" + ERRORS=$((ERRORS+1)) + fi + done + done + + if [ $ERRORS = 0 ]; then + ok "No $FILENAME present in users files" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "If the audit returns something, please check with the user why he has this file" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.19_find_user_forward_files.sh b/bin/hardening/13.19_find_user_forward_files.sh new file mode 100755 index 0000000..920ad49 --- /dev/null +++ b/bin/hardening/13.19_find_user_forward_files.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.18 Check for Presence of User .netrc Files (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 +FILENAME='.forward' + +# This function will be called if the script status is on enabled / audit mode +audit () { + for DIR in $(cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 !="/nonexistent" ) { print $6 }'); do + debug "Working on $DIR" + for FILE in $DIR/$FILENAME; do + if [ ! -h "$FILE" -a -f "$FILE" ]; then + crit "$FILE present" + ERRORS=$((ERRORS+1)) + fi + done + done + + if [ $ERRORS = 0 ]; then + ok "No $FILENAME present in users files" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "If the audit returns something, please check with the user why he has this file" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/13.20_shadow_group_empty.sh b/bin/hardening/13.20_shadow_group_empty.sh new file mode 100755 index 0000000..bc07033 --- /dev/null +++ b/bin/hardening/13.20_shadow_group_empty.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening +# Authors : Thibault Dewailly, OVH +# + +# +# 13.18 Check for Presence of User .netrc Files (Scored) +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +ERRORS=0 +FILEGROUP='/etc/group' +PATTERN='^shadow:x:[[:digit:]]+:' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_file $FILEGROUP $PATTERN + if [ $FNRET = 0 ]; then + info "shadow group exists" + RESULT=$(grep -E "$PATTERN" $FILEGROUP | cut -d: -f4) + GROUPID=$(getent group shadow | cut -d: -f3) + debug "$RESULT $GROUPID" + if [ ! -z "$RESULT" ]; then + crit "Some user belong to shadow group : $RESULT" + else + ok "No one belongs to shadow group" + fi + + info "Checking if a user has $GROUPID as primary group" + RESULT=$(awk -F: '($4 == shadowid) { print $1 }' shadowid=$GROUPID /etc/passwd) + if [ ! -z "$RESULT" ]; then + crit "Some user have shadow id to their primary group : $RESULT" + else + ok "No one have shadow id to their primary group" + fi + else + crit "shadow group doesn't exist" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + info "If the audit returns something, please check with the user why he has this file" +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning FILE, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/13.16_check_duplicate_username.cfg b/etc/conf.d/13.16_check_duplicate_username.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.16_check_duplicate_username.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/13.17_check_duplicate_groupname.cfg b/etc/conf.d/13.17_check_duplicate_groupname.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.17_check_duplicate_groupname.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/13.18_find_user_netrc_files.cfg b/etc/conf.d/13.18_find_user_netrc_files.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.18_find_user_netrc_files.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/13.19_find_user_forward_files.cfg b/etc/conf.d/13.19_find_user_forward_files.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.19_find_user_forward_files.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/13.20_shadow_group_empty.cfg b/etc/conf.d/13.20_shadow_group_empty.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/13.20_shadow_group_empty.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From ef14c475fe54b5f92145f134dac18d2896f43c10 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Sun, 17 Apr 2016 23:10:47 +0200 Subject: [PATCH 61/64] Added argument parsing and test checks --- bin/hardening/1.1_install_updates.sh | 2 +- lib/common.sh | 2 ++ lib/main.sh | 29 ++++++++++++++++++++++++++++ 3 files changed, 32 insertions(+), 1 deletion(-) diff --git a/bin/hardening/1.1_install_updates.sh b/bin/hardening/1.1_install_updates.sh index 3dd2bb7..89d5557 100755 --- a/bin/hardening/1.1_install_updates.sh +++ b/bin/hardening/1.1_install_updates.sh @@ -19,7 +19,7 @@ audit () { info "Fetching upgrades ..." apt_check_updates "CIS_APT" if [ $FNRET -gt 0 ]; then - warn "$RESULT" + crit "$RESULT" FNRET=1 else ok "No upgrades available" diff --git a/lib/common.sh b/lib/common.sh index 573474c..f4dc0d6 100644 --- a/lib/common.sh +++ b/lib/common.sh @@ -58,6 +58,8 @@ cecho () { crit () { [ $MACHINE_LOG_LEVEL -ge 1 ] && _logger $BRED "[ KO ] $*" + # This variable incrementation is used to measure failure or success in tests + CRITICAL_ERRORS_NUMBER=$((CRITICAL_ERRORS_NUMBER+1)) } warn () { diff --git a/lib/main.sh b/lib/main.sh index 3cfcdc3..87c3f26 100644 --- a/lib/main.sh +++ b/lib/main.sh @@ -1,6 +1,7 @@ LONG_SCRIPT_NAME=$(basename $0) SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh} # Variable initialization, to avoid crash +CRITICAL_ERRORS_NUMBER=0 # This will be used to see if a script failed, or passed status="" [ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh @@ -21,6 +22,25 @@ if [ -z $status ]; then exit 0 fi +# Arguments parsing +while [[ $# > 0 ]]; do + ARG="$1" + case $ARG in + --audit) + if [ $status != 'disabled' -o $status != 'false' ]; then + debug "Audit argument detected, setting status to audit" + status=audit + else + info "Audit argument passed but script is disabled" + fi + ;; + *) + debug "Unknown option passed" + ;; + esac + shift +done + case $status in enabled | true ) info "Checking Configuration" @@ -43,3 +63,12 @@ case $status in warn "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]" ;; esac + +info "Results : " +if [ $CRITICAL_ERRORS_NUMBER = 0 ]; then + ok "Check Passed" + exit 0 +else + crit "Check Failed" + exit 1 +fi From 756fce8c2e8626343586c4f726c0c3df84991c48 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Sun, 17 Apr 2016 23:19:41 +0200 Subject: [PATCH 62/64] Fixed disabled features, headers and preparing main script --- bin/hardening.sh | 6 ++++++ bin/hardening/13.19_find_user_forward_files.sh | 2 +- bin/hardening/13.20_shadow_group_empty.sh | 2 +- etc/conf.d/7.5.3_disable_rds.cfg | 2 ++ lib/main.sh | 8 ++++---- 5 files changed, 14 insertions(+), 6 deletions(-) create mode 100644 etc/conf.d/7.5.3_disable_rds.cfg diff --git a/bin/hardening.sh b/bin/hardening.sh index 1445dd0..e76d52d 100644 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -14,3 +14,9 @@ # Audit mode # ls | sort -V + +cd /opt/cis-hardening/bin/hardening +for i in $(ls | sort -V); do +echo "$i" +./$i --audit +done diff --git a/bin/hardening/13.19_find_user_forward_files.sh b/bin/hardening/13.19_find_user_forward_files.sh index 920ad49..eff76e3 100755 --- a/bin/hardening/13.19_find_user_forward_files.sh +++ b/bin/hardening/13.19_find_user_forward_files.sh @@ -6,7 +6,7 @@ # # -# 13.18 Check for Presence of User .netrc Files (Scored) +# 13.19 Check for Presence of User .forward Files (Scored) # set -e # One error, it's over diff --git a/bin/hardening/13.20_shadow_group_empty.sh b/bin/hardening/13.20_shadow_group_empty.sh index bc07033..a65e1e8 100755 --- a/bin/hardening/13.20_shadow_group_empty.sh +++ b/bin/hardening/13.20_shadow_group_empty.sh @@ -6,7 +6,7 @@ # # -# 13.18 Check for Presence of User .netrc Files (Scored) +# 13.20 Ensure shadow group is empty (Scored) # set -e # One error, it's over diff --git a/etc/conf.d/7.5.3_disable_rds.cfg b/etc/conf.d/7.5.3_disable_rds.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/7.5.3_disable_rds.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/lib/main.sh b/lib/main.sh index 87c3f26..fd73202 100644 --- a/lib/main.sh +++ b/lib/main.sh @@ -27,7 +27,7 @@ while [[ $# > 0 ]]; do ARG="$1" case $ARG in --audit) - if [ $status != 'disabled' -o $status != 'false' ]; then + if [ $status != 'disabled' -a $status != 'false' ]; then debug "Audit argument detected, setting status to audit" status=audit else @@ -58,17 +58,17 @@ case $status in ;; disabled | false ) info "$SCRIPT_NAME is disabled, ignoring" + exit 2 # Means unknown status ;; *) warn "Wrong value for status : $status. Must be [ enabled | true | audit | disabled | false ]" ;; esac -info "Results : " if [ $CRITICAL_ERRORS_NUMBER = 0 ]; then ok "Check Passed" - exit 0 + exit 0 # Means ok status else crit "Check Failed" - exit 1 + exit 1 # Means critical status fi From 57121f116cd9d29a5d6ee10528da9e76ce4d0c23 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Mon, 18 Apr 2016 11:16:05 +0200 Subject: [PATCH 63/64] 99.1_timeout_tty.sh 99.2_disable_usb_devices.sh --- bin/hardening.sh | 107 +++++++++++++++++++++- bin/hardening/10.4_default_umask.sh | 6 +- bin/hardening/99.1_timeout_tty.sh | 63 +++++++++++++ bin/hardening/99.2_disable_usb_devices.sh | 72 +++++++++++++++ etc/conf.d/99.1_timeout_tty.cfg | 2 + etc/conf.d/99.2_disable_usb_devices.cfg | 2 + 6 files changed, 244 insertions(+), 8 deletions(-) mode change 100644 => 100755 bin/hardening.sh create mode 100755 bin/hardening/99.1_timeout_tty.sh create mode 100755 bin/hardening/99.2_disable_usb_devices.sh create mode 100644 etc/conf.d/99.1_timeout_tty.cfg create mode 100644 etc/conf.d/99.2_disable_usb_devices.cfg diff --git a/bin/hardening.sh b/bin/hardening.sh old mode 100644 new mode 100755 index e76d52d..b853bd7 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -1,6 +1,5 @@ #!/bin/bash -# CIs Deb # # CIS Debian 7 Hardening # Authors : Thibault Dewailly, OVH @@ -15,8 +14,106 @@ # ls | sort -V -cd /opt/cis-hardening/bin/hardening -for i in $(ls | sort -V); do -echo "$i" -./$i --audit +LONG_SCRIPT_NAME=$(basename $0) +SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh} +DISABLED_CHECKS=0 +PASSED_CHECKS=0 +FAILED_CHECKS=0 +TOTAL_CHECKS=0 +TOTAL_TREATED_CHECKS=0 +AUDIT=0 +APPLY=0 + +usage() { + cat << EOF +$LONG_SCRIPT_NAME ( --apply | -- audit ) < -h | --help > + --apply : Apply hardening if told in configuration + --audit : If script not disabled, audit configuration only + -h|--help : this help +EOF + exit 0 +} + +if [ $# = 0 ]; then + usage +fi + +# Arguments parsing +while [[ $# > 0 ]]; do + ARG="$1" + case $ARG in + --audit) + AUDIT=1 + ;; + --apply) + APPLY=1 + ;; + -h|--help) + usage + ;; + *) + usage + ;; + esac + shift done + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +[ -r $CIS_ROOT_DIR/lib/constants.sh ] && . $CIS_ROOT_DIR/lib/constants.sh +[ -r $CIS_ROOT_DIR/etc/hardening.cfg ] && . $CIS_ROOT_DIR/etc/hardening.cfg +[ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh +[ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh + +# Parse every scripts and execute them in the required mode +for SCRIPT in $(ls $CIS_ROOT_DIR/bin/hardening | sort -V); do + info "Treating $SCRIPT" + + if [ $AUDIT = 1 ]; then + debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit" + $CIS_ROOT_DIR/bin/hardening/$SCRIPT --audit + elif [ $APPLY = 1 ]; then + debug "$CIS_ROOT_DIR/bin/hardening/$SCRIPT" + $CIS_ROOT_DIR/bin/hardening/$SCRIPT + fi + + SCRIPT_EXITCODE=$? + + debug "Script $SCRIPT finished with exit code $SCRIPT_EXITCODE" + case $SCRIPT_EXITCODE in + 0) + debug "$SCRIPT passed" + PASSED_CHECKS=$((PASSED_CHECKS+1)) + ;; + 1) + debug "$SCRIPT failed" + FAILED_CHECKS=$((FAILED_CHECKS+1)) + ;; + 2) + debug "$SCRIPT is disabled" + DISABLED_CHECKS=$((DISABLED_CHECKS+1)) + ;; + esac + + TOTAL_CHECKS=$((TOTAL_CHECKS+1)) + +done + +TOTAL_TREATED_CHECKS=$((TOTAL_CHECKS-DISABLED_CHECKS)) + +printf "%40s\n" "################### SUMMARY ###################" +printf "%30s %s\n" "Total Available Checks :" "$TOTAL_CHECKS" +printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS" +printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS" +printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS" +printf "%30s %.2f %%\n" "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)" +printf "%30s %.2f %%\n" "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)" diff --git a/bin/hardening/10.4_default_umask.sh b/bin/hardening/10.4_default_umask.sh index 5e09853..343cf59 100755 --- a/bin/hardening/10.4_default_umask.sh +++ b/bin/hardening/10.4_default_umask.sh @@ -13,8 +13,8 @@ set -e # One error, it's over set -u # One variable unset, it's over USER='root' -PATTERN='umask 644' -FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/*' +PATTERN='umask 077' +FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/* /etc/profile' FILE='/etc/profile.d/CIS_10.4_umask.sh' # This function will be called if the script status is on enabled / audit mode @@ -33,7 +33,7 @@ apply () { if [ $FNRET != 0 ]; then warn "$PATTERN not present in $FILES_TO_SEARCH" touch $FILE - chmod 700 $FILE + chmod 644 $FILE add_end_of_file $FILE "$PATTERN" else ok "$PATTERN present in $FILES_TO_SEARCH" diff --git a/bin/hardening/99.1_timeout_tty.sh b/bin/hardening/99.1_timeout_tty.sh new file mode 100755 index 0000000..d4bcfb1 --- /dev/null +++ b/bin/hardening/99.1_timeout_tty.sh @@ -0,0 +1,63 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening /!\ Not in the Guide +# Authors : Thibault Dewailly, OVH +# + +# +# 99.1 Set Timeout on ttys +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +USER='root' +PATTERN='^TMOUT=' +VALUE='600' +FILES_TO_SEARCH='/etc/bash.bashrc /etc/profile.d/* /etc/profile' +FILE='/etc/profile.d/CIS_99.1_timeout.sh' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILES_TO_SEARCH" + else + ok "$PATTERN present in $FILES_TO_SEARCH" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" + if [ $FNRET != 0 ]; then + warn "$PATTERN not present in $FILES_TO_SEARCH" + touch $FILE + chmod 644 $FILE + add_end_of_file $FILE "$PATTERN$VALUE" + add_end_of_file $FILE "readonly TMOUT" + add_end_of_file $FILE "export TMOUT" + else + ok "$PATTERN present in $FILES_TO_SEARCH" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/bin/hardening/99.2_disable_usb_devices.sh b/bin/hardening/99.2_disable_usb_devices.sh new file mode 100755 index 0000000..97077ae --- /dev/null +++ b/bin/hardening/99.2_disable_usb_devices.sh @@ -0,0 +1,72 @@ +#!/bin/bash + +# +# CIS Debian 7 Hardening /!\ Not in the Guide +# Authors : Thibault Dewailly, OVH +# + +# +# 99.2 Disable USB Devices +# + +set -e # One error, it's over +set -u # One variable unset, it's over + +USER='root' +PATTERN='ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"' # We do test disabled by default, whitelist is up to you +FILES_TO_SEARCH='/etc/udev/rules.d/*' +FILE='/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh' + +# This function will be called if the script status is on enabled / audit mode +audit () { + does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" + if [ $FNRET != 0 ]; then + crit "$PATTERN not present in $FILES_TO_SEARCH" + else + ok "$PATTERN present in $FILES_TO_SEARCH" + fi +} + +# This function will be called if the script status is on enabled mode +apply () { + does_pattern_exists_in_file "$FILES_TO_SEARCH" "^$PATTERN" + if [ $FNRET != 0 ]; then + warn "$PATTERN not present in $FILES_TO_SEARCH" + touch $FILE + chmod 644 $FILE + add_end_of_file $FILE ' +# By default, disable all. +ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0" + +# Enable hub devices. +ACTION=="add", ATTR{bDeviceClass}=="09", TEST=="authorized", ATTR{authorized}="1" + +# Enables keyboard devices +ACTION=="add", ATTR{product}=="*[Kk]eyboard*", TEST=="authorized", ATTR{authorized}="1" + +# PS2-USB converter +ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1" +' + else + ok "$PATTERN present in $FILES_TO_SEARCH" + fi +} + +# This function will check config parameters required +check_config() { + : +} + +# Source Root Dir Parameter +if [ ! -r /etc/default/cis-hardenning ]; then + echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting" + exit 128 +else + . /etc/default/cis-hardenning + if [ -z $CIS_ROOT_DIR ]; then + echo "No CIS_ROOT_DIR variable, aborting" + fi +fi + +# Main function, will call the proper functions given the configuration (audit, enabled, disabled) +[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh diff --git a/etc/conf.d/99.1_timeout_tty.cfg b/etc/conf.d/99.1_timeout_tty.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/99.1_timeout_tty.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled diff --git a/etc/conf.d/99.2_disable_usb_devices.cfg b/etc/conf.d/99.2_disable_usb_devices.cfg new file mode 100644 index 0000000..e1e4502 --- /dev/null +++ b/etc/conf.d/99.2_disable_usb_devices.cfg @@ -0,0 +1,2 @@ +# Configuration for script of same name +status=enabled From 091eec57ee7f706c2dd16150c75b4d93a183b724 Mon Sep 17 00:00:00 2001 From: "thibault.dewailly" Date: Mon, 18 Apr 2016 13:19:46 +0200 Subject: [PATCH 64/64] All configuration defaults to disabled README updated --- README | 11 +++++++++++ bin/hardening.sh | 13 ++++++------- bin/hardening/1.1_install_updates.sh | 1 - bin/hardening/10.1.1_set_password_exp_days.sh | 1 - .../10.1.2_set_password_min_days_change.sh | 1 - .../10.1.3_set_password_exp_warning_days.sh | 1 - bin/hardening/10.2_disable_system_accounts.sh | 1 - bin/hardening/10.3_default_root_group.sh | 1 - bin/hardening/10.4_default_umask.sh | 1 - bin/hardening/10.5_lock_inactive_user_account.sh | 1 - bin/hardening/11.1_warning_banners.sh | 1 - .../11.2_remove_os_info_warning_banners.sh | 1 - bin/hardening/11.3_graphical_warning_banners.sh | 1 - bin/hardening/12.10_find_suid_files.sh | 1 - bin/hardening/12.11_find_sgid_files.sh | 1 - bin/hardening/12.1_etc_passwd_permissions.sh | 1 - bin/hardening/12.2_etc_shadow_permissions.sh | 1 - bin/hardening/12.3_etc_group_permissions.sh | 1 - bin/hardening/12.4_etc_passwd_ownership.sh | 1 - bin/hardening/12.5_etc_shadow_ownership.sh | 1 - bin/hardening/12.6_etc_group_ownership.sh | 1 - bin/hardening/12.7_find_world_writable_file.sh | 1 - bin/hardening/12.8_find_unowned_files.sh | 1 - bin/hardening/12.9_find_ungrouped_files.sh | 1 - bin/hardening/13.10_find_user_rhosts_files.sh | 1 - .../13.11_find_passwd_group_inconsistencies.sh | 1 - bin/hardening/13.12_users_valid_homedir.sh | 1 - bin/hardening/13.13_check_user_homedir_ownership.sh | 1 - bin/hardening/13.14_check_duplicate_uid.sh | 1 - bin/hardening/13.15_check_duplicate_gid.sh | 1 - bin/hardening/13.16_check_duplicate_username.sh | 1 - bin/hardening/13.17_check_duplicate_groupname.sh | 1 - bin/hardening/13.18_find_user_netrc_files.sh | 1 - bin/hardening/13.19_find_user_forward_files.sh | 1 - bin/hardening/13.1_remove_empty_password_field.sh | 1 - bin/hardening/13.20_shadow_group_empty.sh | 1 - bin/hardening/13.2_remove_legacy_passwd_entries.sh | 1 - bin/hardening/13.3_remove_legacy_shadow_entries.sh | 1 - bin/hardening/13.4_remove_legacy_group_entries.sh | 1 - bin/hardening/13.5_find_0_uid_non_root_account.sh | 1 - bin/hardening/13.6_sanitize_root_path.sh | 1 - bin/hardening/13.7_check_user_dir_perm.sh | 1 - bin/hardening/13.8_check_user_dot_file_perm.sh | 1 - bin/hardening/13.9_set_perm_on_user_netrc.sh | 1 - bin/hardening/2.10_home_nodev.sh | 1 - bin/hardening/2.11_removable_device_nodev.sh | 1 - bin/hardening/2.12_removable_device_noexec.sh | 1 - bin/hardening/2.13_removable_device_nosuid.sh | 1 - bin/hardening/2.14_run_shm_nodev.sh | 1 - bin/hardening/2.15_run_shm_nosuid.sh | 1 - bin/hardening/2.16_run_shm_noexec.sh | 1 - .../2.17_sticky_bit_world_writable_folder.sh | 1 - bin/hardening/2.18_disable_cramfs.sh | 1 - bin/hardening/2.19_disable_freevxfs.sh | 1 - bin/hardening/2.1_tmp_partition.sh | 1 - bin/hardening/2.20_disable_jffs2.sh | 1 - bin/hardening/2.21_disable_hfs.sh | 1 - bin/hardening/2.22_disable_hfsplus.sh | 1 - bin/hardening/2.23_disable_squashfs.sh | 1 - bin/hardening/2.24_disable_udf.sh | 1 - bin/hardening/2.25_disable_automounting.sh | 1 - bin/hardening/2.2_tmp_nodev.sh | 1 - bin/hardening/2.3_tmp_nosuid.sh | 1 - bin/hardening/2.4_tmp_noexec.sh | 1 - bin/hardening/2.5_var_partition.sh | 1 - bin/hardening/2.6.1_var_tmp_partition.sh | 1 - bin/hardening/2.6.2_var_tmp_nodev.sh | 1 - bin/hardening/2.6.3_var_tmp_nosuid.sh | 1 - bin/hardening/2.6.4_var_tmp_noexec.sh | 1 - bin/hardening/2.7_var_log_partition.sh | 1 - bin/hardening/2.8_var_log_audit_partition.sh | 1 - bin/hardening/2.9_home_partition.sh | 1 - bin/hardening/3.1_bootloader_ownership.sh | 1 - bin/hardening/3.2_bootloader_permissions.sh | 1 - bin/hardening/3.3_bootloader_password.sh | 1 - bin/hardening/3.4_root_password.sh | 1 - bin/hardening/4.1_restrict_core_dumps.sh | 1 - bin/hardening/4.2_enable_nx_support.sh | 1 - bin/hardening/4.3_enable_randomized_vm_placement.sh | 1 - bin/hardening/4.4_disable_prelink.sh | 1 - bin/hardening/4.5_enable_apparmor.sh | 1 - bin/hardening/5.1.1_disable_nis.sh | 1 - bin/hardening/5.1.2_disable_rsh.sh | 1 - bin/hardening/5.1.3_disable_rsh_client.sh | 1 - bin/hardening/5.1.4_disable_talk.sh | 1 - bin/hardening/5.1.5_disable_talk_client.sh | 1 - bin/hardening/5.1.6_disable_telnet_server.sh | 1 - bin/hardening/5.1.7_disable_tftp_server.sh | 1 - bin/hardening/5.1.8_disable_inetd.sh | 1 - bin/hardening/5.2_disable_chargen.sh | 1 - bin/hardening/5.3_disable_daytime.sh | 1 - bin/hardening/5.4_disable_echo.sh | 1 - bin/hardening/5.5_disable_discard.sh | 1 - bin/hardening/5.6_disable_time.sh | 1 - bin/hardening/6.10_disable_http_server.sh | 1 - bin/hardening/6.11_disable_imap_pop.sh | 1 - bin/hardening/6.12_disable_samba.sh | 1 - bin/hardening/6.13_diable_http_proxy.sh | 1 - bin/hardening/6.14_disable_snmp_server.sh | 1 - bin/hardening/6.15_mta_localhost.sh | 1 - bin/hardening/6.16_disable_rsync.sh | 1 - bin/hardening/6.1_disable_xwindow_system.sh | 1 - bin/hardening/6.2_disable_avahi_server.sh | 1 - bin/hardening/6.3_disable_print_server.sh | 1 - bin/hardening/6.4_disable_dhcp.sh | 1 - bin/hardening/6.5_configure_ntp.sh | 1 - bin/hardening/6.6_diable_ldap.sh | 1 - bin/hardening/6.7_disable_nfs_rpc.sh | 1 - bin/hardening/6.8_disable_dns_server.sh | 1 - bin/hardening/6.9_disable_ftp.sh | 1 - bin/hardening/7.1.1_disable_ip_forwarding.sh | 1 - .../7.1.2_disable_send_packet_redirects.sh | 1 - .../7.2.1_disable_source_routed_packets.sh | 1 - bin/hardening/7.2.2_disable_icmp_redirect.sh | 1 - bin/hardening/7.2.3_disable_secure_icmp_redirect.sh | 1 - bin/hardening/7.2.4_log_martian_packets.sh | 1 - bin/hardening/7.2.5_ignore_broadcast_requests.sh | 1 - .../7.2.6_enable_bad_error_message_protection.sh | 1 - .../7.2.7_enable_source_route_validation.sh | 1 - bin/hardening/7.2.8_enable_tcp_syn_cookies.sh | 1 - .../7.3.1_disable_ipv6_router_advertisement.sh | 1 - bin/hardening/7.3.2_disable_ipv6_redirect.sh | 1 - bin/hardening/7.3.3_disable_ipv6.sh | 1 - bin/hardening/7.4.1_install_tcp_wrapper.sh | 1 - bin/hardening/7.4.2_hosts_allow.sh | 1 - bin/hardening/7.4.3_hosts_allow_permissions.sh | 1 - bin/hardening/7.4.4_hosts_deny.sh | 1 - bin/hardening/7.4.5_hosts_deny_permissions.sh | 1 - bin/hardening/7.5.1_disable_dccp.sh | 1 - bin/hardening/7.5.2_disable_sctp.sh | 1 - bin/hardening/7.5.3_disable_rds.sh | 1 - bin/hardening/7.5.4_disable_tipc.sh | 1 - bin/hardening/7.6_disable_wireless.sh | 1 - bin/hardening/7.7_enable_firewall.sh | 1 - bin/hardening/8.0_enable_auditd_kernel.sh | 1 - bin/hardening/8.1.1.1_audit_log_storage.sh | 1 - bin/hardening/8.1.1.2_halt_when_audit_log_full.sh | 1 - bin/hardening/8.1.1.3_keep_all_audit_logs.sh | 1 - bin/hardening/8.1.10_record_dac_edit.sh | 1 - bin/hardening/8.1.11_record_failed_access_file.sh | 1 - bin/hardening/8.1.12_record_privileged_commands.sh | 1 - bin/hardening/8.1.13_record_successful_mount.sh | 1 - bin/hardening/8.1.14_record_file_deletions.sh | 1 - bin/hardening/8.1.15_record_sudoers_edit.sh | 1 - bin/hardening/8.1.16_record_sudo_usage.sh | 1 - bin/hardening/8.1.17_record_kernel_modules.sh | 1 - bin/hardening/8.1.18_freeze_auditd_conf.sh | 1 - bin/hardening/8.1.2_enable_auditd.sh | 1 - bin/hardening/8.1.3_audit_bootloader.sh | 1 - bin/hardening/8.1.4_record_date_time_edit.sh | 1 - bin/hardening/8.1.5_record_user_group_edit.sh | 1 - bin/hardening/8.1.6_record_network_edit.sh | 1 - bin/hardening/8.1.7_record_mac_edit.sh | 1 - bin/hardening/8.1.8_record_login_logout.sh | 1 - bin/hardening/8.1.9_record_session_init.sh | 1 - bin/hardening/8.2.1_install_syslog-ng.sh | 1 - bin/hardening/8.2.2_enable_syslog-ng.sh | 1 - bin/hardening/8.2.3_configure_syslog-ng.sh | 1 - bin/hardening/8.2.4_set_logfile_perm.sh | 1 - bin/hardening/8.2.5_syslog-ng_remote_host.sh | 1 - bin/hardening/8.2.6_remote_syslog-ng_acl.sh | 1 - bin/hardening/8.3.1_install_tripwire.sh | 1 - bin/hardening/8.3.2_tripwire_cron.sh | 1 - bin/hardening/8.4_configure_logrotate.sh | 1 - bin/hardening/9.1.1_enable_cron.sh | 1 - bin/hardening/9.1.2_crontab_perm_ownership.sh | 1 - bin/hardening/9.1.3_cron_hourly_perm_ownership.sh | 1 - bin/hardening/9.1.4_cron_daily_perm_ownership.sh | 1 - bin/hardening/9.1.5_cron_weekly_perm_ownership.sh | 1 - bin/hardening/9.1.6_cron_monthly_perm_ownership.sh | 1 - bin/hardening/9.1.7_cron_d_perm_ownership.sh | 1 - bin/hardening/9.1.8_cron_users.sh | 1 - bin/hardening/9.2.1_enable_cracklib.sh | 1 - .../9.2.2_enable_lockout_failed_password.sh | 1 - bin/hardening/9.2.3_limit_password_reuse.sh | 1 - bin/hardening/9.3.10_disable_sshd_setenv.sh | 1 - bin/hardening/9.3.11_sshd_ciphers.sh | 1 - bin/hardening/9.3.12_sshd_idle_timeout.sh | 1 - bin/hardening/9.3.13_sshd_limit_access.sh | 1 - bin/hardening/9.3.14_ssh_banner.sh | 1 - bin/hardening/9.3.1_sshd_protocol.sh | 1 - bin/hardening/9.3.2_sshd_loglevel.sh | 1 - bin/hardening/9.3.3_sshd_conf_perm_ownership.sh | 1 - bin/hardening/9.3.4_disable_x11_forwarding.sh | 1 - bin/hardening/9.3.5_sshd_maxauthtries.sh | 1 - bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh | 1 - .../9.3.7_disable_sshd_hostbasedauthentication.sh | 1 - bin/hardening/9.3.8_disable_root_login.sh | 1 - .../9.3.9_disable_sshd_permitemptypasswords.sh | 1 - bin/hardening/9.4_secure_tty.sh | 1 - bin/hardening/9.5_restrict_su.sh | 1 - bin/hardening/99.1_timeout_tty.sh | 1 - bin/hardening/99.2_disable_usb_devices.sh | 1 - etc/conf.d/1.1_install_updates.cfg | 2 +- etc/conf.d/10.1.1_set_password_exp_days.cfg | 2 +- etc/conf.d/10.1.2_set_password_min_days_change.cfg | 2 +- etc/conf.d/10.1.3_set_password_exp_warning_days.cfg | 2 +- etc/conf.d/10.2_disable_system_accounts.cfg | 2 +- etc/conf.d/10.3_default_root_group.cfg | 2 +- etc/conf.d/10.4_default_umask.cfg | 2 +- etc/conf.d/10.5_lock_inactive_user_account.cfg | 2 +- etc/conf.d/11.1_warning_banners.cfg | 2 +- etc/conf.d/11.2_remove_os_info_warning_banners.cfg | 2 +- etc/conf.d/11.3_graphical_warning_banners.cfg | 2 +- etc/conf.d/12.10_find_suid_files.cfg | 2 +- etc/conf.d/12.11_find_sgid_files.cfg | 2 +- etc/conf.d/12.1_etc_passwd_permissions.cfg | 2 +- etc/conf.d/12.2_etc_shadow_permissions.cfg | 2 +- etc/conf.d/12.3_etc_group_permissions.cfg | 2 +- etc/conf.d/12.4_etc_passwd_ownership.cfg | 2 +- etc/conf.d/12.5_etc_shadow_ownership.cfg | 2 +- etc/conf.d/12.6_etc_group_ownership.cfg | 2 +- etc/conf.d/12.7_find_world_writable_file.cfg | 2 +- etc/conf.d/12.8_find_unowned_files.cfg | 2 +- etc/conf.d/12.9_find_ungrouped_files.cfg | 2 +- etc/conf.d/13.10_find_user_rhosts_files.cfg | 2 +- .../13.11_find_passwd_group_inconsistencies.cfg | 2 +- etc/conf.d/13.12_users_valid_homedir.cfg | 2 +- etc/conf.d/13.13_check_user_homedir_ownership.cfg | 2 +- etc/conf.d/13.14_check_duplicate_uid.cfg | 2 +- etc/conf.d/13.15_check_duplicate_gid.cfg | 2 +- etc/conf.d/13.16_check_duplicate_username.cfg | 2 +- etc/conf.d/13.17_check_duplicate_groupname.cfg | 2 +- etc/conf.d/13.18_find_user_netrc_files.cfg | 2 +- etc/conf.d/13.19_find_user_forward_files.cfg | 2 +- etc/conf.d/13.1_remove_empty_password_field.cfg | 2 +- etc/conf.d/13.20_shadow_group_empty.cfg | 2 +- etc/conf.d/13.2_remove_legacy_passwd_entries.cfg | 2 +- etc/conf.d/13.3_remove_legacy_shadow_entries.cfg | 2 +- etc/conf.d/13.4_remove_legacy_group_entries.cfg | 2 +- etc/conf.d/13.5_find_0_uid_non_root_account.cfg | 2 +- etc/conf.d/13.6_sanitize_root_path.cfg | 2 +- etc/conf.d/13.7_check_user_dir_perm.cfg | 2 +- etc/conf.d/13.8_check_user_dot_file_perm.cfg | 2 +- etc/conf.d/13.9_set_perm_on_user_netrc.cfg | 2 +- etc/conf.d/5.1.2_disable_rsh.cfg | 2 +- etc/conf.d/5.1.4_disable_talk.cfg | 2 +- etc/conf.d/5.1.5_disable_talk_client.cfg | 2 +- etc/conf.d/5.1.6_disable_telnet_server.cfg | 2 +- etc/conf.d/5.1.7_disable_tftp_server.cfg | 2 +- etc/conf.d/5.1.8_disable_inetd.cfg | 2 +- etc/conf.d/5.2_disable_chargen.cfg | 2 +- etc/conf.d/5.3_disable_daytime.cfg | 2 +- etc/conf.d/5.4_disable_echo.cfg | 2 +- etc/conf.d/5.5_disable_discard.cfg | 2 +- etc/conf.d/5.6_disable_time.cfg | 2 +- etc/conf.d/6.10_disable_http_server.cfg | 2 +- etc/conf.d/6.11_disable_imap_pop.cfg | 2 +- etc/conf.d/6.12_disable_samba.cfg | 2 +- etc/conf.d/6.13_diable_http_proxy.cfg | 2 +- etc/conf.d/6.14_disable_snmp_server.cfg | 2 +- etc/conf.d/6.15_mta_localhost.cfg | 2 +- etc/conf.d/6.16_disable_rsync.cfg | 2 +- etc/conf.d/6.1_disable_xwindow_system.cfg | 2 +- etc/conf.d/6.2_disable_avahi_server.cfg | 2 +- etc/conf.d/6.3_disable_print_server.cfg | 2 +- etc/conf.d/6.4_disable_dhcp.cfg | 2 +- etc/conf.d/6.5_configure_ntp.cfg | 2 +- etc/conf.d/6.6_diable_ldap.cfg | 2 +- etc/conf.d/6.7_disable_nfs_rpc.cfg | 2 +- etc/conf.d/6.8_disable_dns_server.cfg | 2 +- etc/conf.d/6.9_disable_ftp.cfg | 2 +- etc/conf.d/7.1.1_disable_ip_forwarding.cfg | 2 +- etc/conf.d/7.1.2_disable_send_packet_redirects.cfg | 2 +- etc/conf.d/7.2.1_disable_source_routed_packets.cfg | 2 +- etc/conf.d/7.2.2_disable_icmp_redirect.cfg | 2 +- etc/conf.d/7.2.3_disable_secure_icmp_redirect.cfg | 2 +- etc/conf.d/7.2.4_log_martian_packets.cfg | 2 +- etc/conf.d/7.2.5_ignore_broadcast_requests.cfg | 2 +- .../7.2.6_enable_bad_error_message_protection.cfg | 2 +- etc/conf.d/7.2.7_enable_source_route_validation.cfg | 2 +- etc/conf.d/7.2.8_enable_tcp_syn_cookies.cfg | 2 +- .../7.3.1_disable_ipv6_router_advertisement.cfg | 2 +- etc/conf.d/7.3.2_disable_ipv6_redirect.cfg | 2 +- etc/conf.d/7.3.3_disable_ipv6.cfg | 2 +- etc/conf.d/7.4.1_install_tcp_wrapper.cfg | 2 +- etc/conf.d/7.4.2_hosts_allow.cfg | 2 +- etc/conf.d/7.4.3_hosts_allow_permissions.cfg | 2 +- etc/conf.d/7.4.4_hosts_deny.cfg | 2 +- etc/conf.d/7.4.5_hosts_deny_permissions.cfg | 2 +- etc/conf.d/7.5.1_disable_dccp.cfg | 2 +- etc/conf.d/7.5.2_disable_sctp.cfg | 2 +- etc/conf.d/7.5.3_disable_rds.cfg | 2 +- etc/conf.d/7.6_disable_wireless.cfg | 2 +- etc/conf.d/7.7_enable_firewall.cfg | 2 +- etc/conf.d/8.0_enable_auditd_kernel.cfg | 2 +- etc/conf.d/8.1.1.1_audit_log_storage.cfg | 2 +- etc/conf.d/8.1.1.2_halt_when_audit_log_full.cfg | 2 +- etc/conf.d/8.1.1.3_keep_all_audit_logs.cfg | 2 +- etc/conf.d/8.1.10_record_dac_edit.cfg | 2 +- etc/conf.d/8.1.11_record_failed_access_file.cfg | 2 +- etc/conf.d/8.1.12_record_privileged_commands.cfg | 2 +- etc/conf.d/8.1.13_record_successful_mount.cfg | 2 +- etc/conf.d/8.1.14_record_file_deletions.cfg | 2 +- etc/conf.d/8.1.15_record_sudoers_edit.cfg | 2 +- etc/conf.d/8.1.16_record_sudo_usage.cfg | 2 +- etc/conf.d/8.1.17_record_kernel_modules.cfg | 2 +- etc/conf.d/8.1.18_freeze_auditd_conf.cfg | 2 +- etc/conf.d/8.1.2_enable_auditd.cfg | 2 +- etc/conf.d/8.1.3_audit_bootloader.cfg | 2 +- etc/conf.d/8.1.4_record_date_time_edit.cfg | 2 +- etc/conf.d/8.1.5_record_user_group_edit.cfg | 2 +- etc/conf.d/8.1.6_record_network_edit.cfg | 2 +- etc/conf.d/8.1.7_record_mac_edit.cfg | 2 +- etc/conf.d/8.1.8_record_login_logout.cfg | 2 +- etc/conf.d/8.1.9_record_session_init.cfg | 2 +- etc/conf.d/8.2.1_install_syslog-ng.cfg | 2 +- etc/conf.d/8.2.2_enable_syslog-ng.cfg | 2 +- etc/conf.d/8.2.3_configure_syslog-ng.cfg | 2 +- etc/conf.d/8.2.4_set_logfile_perm.cfg | 2 +- etc/conf.d/8.2.5_syslog-ng_remote_host.cfg | 2 +- etc/conf.d/8.2.6_remote_syslog-ng_acl.cfg | 2 +- etc/conf.d/8.3.1_install_tripwire.cfg | 2 +- etc/conf.d/8.3.2_tripwire_cron.cfg | 2 +- etc/conf.d/8.4_configure_logrotate.cfg | 2 +- etc/conf.d/9.1.1_enable_cron.cfg | 2 +- etc/conf.d/9.1.2_crontab_perm_ownership.cfg | 2 +- etc/conf.d/9.1.3_cron_hourly_perm_ownership.cfg | 2 +- etc/conf.d/9.1.4_cron_daily_perm_ownership.cfg | 2 +- etc/conf.d/9.1.5_cron_weekly_perm_ownership.cfg | 2 +- etc/conf.d/9.1.6_cron_monthly_perm_ownership.cfg | 2 +- etc/conf.d/9.1.7_cron_d_perm_ownership.cfg | 2 +- etc/conf.d/9.1.8_cron_users.cfg | 2 +- etc/conf.d/9.2.1_enable_cracklib.cfg | 2 +- etc/conf.d/9.2.2_enable_lockout_failed_password.cfg | 2 +- etc/conf.d/9.2.3_limit_password_reuse.cfg | 2 +- etc/conf.d/9.3.10_disable_sshd_setenv.cfg | 2 +- etc/conf.d/9.3.11_sshd_ciphers.cfg | 2 +- etc/conf.d/9.3.12_sshd_idle_timeout.cfg | 2 +- etc/conf.d/9.3.13_sshd_limit_access.cfg | 2 +- etc/conf.d/9.3.14_ssh_banner.cfg | 2 +- etc/conf.d/9.3.1_sshd_protocol.cfg | 2 +- etc/conf.d/9.3.2_sshd_loglevel.cfg | 2 +- etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg | 2 +- etc/conf.d/9.3.4_disable_x11_forwarding.cfg | 2 +- etc/conf.d/9.3.5_sshd_maxauthtries.cfg | 2 +- etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg | 2 +- .../9.3.7_disable_sshd_hostbasedauthentication.cfg | 2 +- etc/conf.d/9.3.8_disable_root_login.cfg | 2 +- .../9.3.9_disable_sshd_permitemptypasswords.cfg | 2 +- etc/conf.d/9.4_secure_tty.cfg | 2 +- etc/conf.d/9.5_restrict_su.cfg | 2 +- etc/conf.d/99.1_timeout_tty.cfg | 2 +- etc/conf.d/99.2_disable_usb_devices.cfg | 2 +- lib/main.sh | 2 +- 345 files changed, 169 insertions(+), 350 deletions(-) diff --git a/README b/README index 4d4935b..70d130e 100644 --- a/README +++ b/README @@ -1,2 +1,13 @@ # CIS Debian 7 Hardening git repository +# Authors : Thibault Dewailly, OVH # This is the code base which will be used to fill CIS hardening requirements + +# Hardening scripts : +# bin/hardening : Every script has a .cfg associated, status must be defined here + +# Main script : +# bin/hardening.sh : Will execute hardening according to configuration + +# Configuration +# etc/hardening.cfg : Global variables defined such as backup directory, or log level +# etc/conf.d : Folder with all .cfg associated to hardenign scripts diff --git a/bin/hardening.sh b/bin/hardening.sh index b853bd7..27c2b8b 100755 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -9,11 +9,6 @@ # Main script : Execute hardening considering configuration # -# Execute blindly binaries -# Audit mode - -# ls | sort -V - LONG_SCRIPT_NAME=$(basename $0) SCRIPT_NAME=${LONG_SCRIPT_NAME%.sh} DISABLED_CHECKS=0 @@ -29,7 +24,7 @@ usage() { $LONG_SCRIPT_NAME ( --apply | -- audit ) < -h | --help > --apply : Apply hardening if told in configuration --audit : If script not disabled, audit configuration only - -h|--help : this help + -h|--help : This help EOF exit 0 } @@ -116,4 +111,8 @@ printf "%30s %s\n" "Total Runned Checks :" "$TOTAL_TREATED_CHECKS" printf "%30s [ %7s ]\n" "Total Passed Checks :" "$PASSED_CHECKS/$TOTAL_TREATED_CHECKS" printf "%30s [ %7s ]\n" "Total Failed Checks :" "$FAILED_CHECKS/$TOTAL_TREATED_CHECKS" printf "%30s %.2f %%\n" "Enabled Checks Percentage :" "$( echo "($TOTAL_TREATED_CHECKS/$TOTAL_CHECKS) * 100" | bc -l)" -printf "%30s %.2f %%\n" "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)" +if [ $TOTAL_TREATED_CHECKS != 0 ]; then + printf "%30s %.2f %%\n" "Conformity Percentage :" "$( echo "($PASSED_CHECKS/$TOTAL_TREATED_CHECKS) * 100" | bc -l)" +else + printf "%30s %s %%\n" "Conformity Percentage :" "N.A" # No check runned, avoid division by 0 +fi diff --git a/bin/hardening/1.1_install_updates.sh b/bin/hardening/1.1_install_updates.sh index 89d5557..63acf4d 100755 --- a/bin/hardening/1.1_install_updates.sh +++ b/bin/hardening/1.1_install_updates.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/10.1.1_set_password_exp_days.sh b/bin/hardening/10.1.1_set_password_exp_days.sh index 3e0a60d..039bb5c 100755 --- a/bin/hardening/10.1.1_set_password_exp_days.sh +++ b/bin/hardening/10.1.1_set_password_exp_days.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/10.1.2_set_password_min_days_change.sh b/bin/hardening/10.1.2_set_password_min_days_change.sh index 136b0e2..cc0cdd8 100755 --- a/bin/hardening/10.1.2_set_password_min_days_change.sh +++ b/bin/hardening/10.1.2_set_password_min_days_change.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/10.1.3_set_password_exp_warning_days.sh b/bin/hardening/10.1.3_set_password_exp_warning_days.sh index ce7b164..cef3353 100755 --- a/bin/hardening/10.1.3_set_password_exp_warning_days.sh +++ b/bin/hardening/10.1.3_set_password_exp_warning_days.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/10.2_disable_system_accounts.sh b/bin/hardening/10.2_disable_system_accounts.sh index 7821e66..ab1ac15 100755 --- a/bin/hardening/10.2_disable_system_accounts.sh +++ b/bin/hardening/10.2_disable_system_accounts.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/10.3_default_root_group.sh b/bin/hardening/10.3_default_root_group.sh index d534d35..f2e5364 100755 --- a/bin/hardening/10.3_default_root_group.sh +++ b/bin/hardening/10.3_default_root_group.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/10.4_default_umask.sh b/bin/hardening/10.4_default_umask.sh index 343cf59..6b30f3e 100755 --- a/bin/hardening/10.4_default_umask.sh +++ b/bin/hardening/10.4_default_umask.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/10.5_lock_inactive_user_account.sh b/bin/hardening/10.5_lock_inactive_user_account.sh index 9c025ec..6208f75 100755 --- a/bin/hardening/10.5_lock_inactive_user_account.sh +++ b/bin/hardening/10.5_lock_inactive_user_account.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/11.1_warning_banners.sh b/bin/hardening/11.1_warning_banners.sh index b4620ce..8285edf 100755 --- a/bin/hardening/11.1_warning_banners.sh +++ b/bin/hardening/11.1_warning_banners.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/11.2_remove_os_info_warning_banners.sh b/bin/hardening/11.2_remove_os_info_warning_banners.sh index 9ed0bc9..a622644 100755 --- a/bin/hardening/11.2_remove_os_info_warning_banners.sh +++ b/bin/hardening/11.2_remove_os_info_warning_banners.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/11.3_graphical_warning_banners.sh b/bin/hardening/11.3_graphical_warning_banners.sh index 7126b93..5dee2bb 100755 --- a/bin/hardening/11.3_graphical_warning_banners.sh +++ b/bin/hardening/11.3_graphical_warning_banners.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/12.10_find_suid_files.sh b/bin/hardening/12.10_find_suid_files.sh index f43cbc0..6495b6a 100755 --- a/bin/hardening/12.10_find_suid_files.sh +++ b/bin/hardening/12.10_find_suid_files.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/12.11_find_sgid_files.sh b/bin/hardening/12.11_find_sgid_files.sh index 783be7e..0ca7f66 100755 --- a/bin/hardening/12.11_find_sgid_files.sh +++ b/bin/hardening/12.11_find_sgid_files.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/12.1_etc_passwd_permissions.sh b/bin/hardening/12.1_etc_passwd_permissions.sh index 3b6ffc4..249c5d0 100755 --- a/bin/hardening/12.1_etc_passwd_permissions.sh +++ b/bin/hardening/12.1_etc_passwd_permissions.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/12.2_etc_shadow_permissions.sh b/bin/hardening/12.2_etc_shadow_permissions.sh index 774b470..7f51c02 100755 --- a/bin/hardening/12.2_etc_shadow_permissions.sh +++ b/bin/hardening/12.2_etc_shadow_permissions.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/12.3_etc_group_permissions.sh b/bin/hardening/12.3_etc_group_permissions.sh index acfbb87..a3bdae1 100755 --- a/bin/hardening/12.3_etc_group_permissions.sh +++ b/bin/hardening/12.3_etc_group_permissions.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/12.4_etc_passwd_ownership.sh b/bin/hardening/12.4_etc_passwd_ownership.sh index e33312d..51eb6da 100755 --- a/bin/hardening/12.4_etc_passwd_ownership.sh +++ b/bin/hardening/12.4_etc_passwd_ownership.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/12.5_etc_shadow_ownership.sh b/bin/hardening/12.5_etc_shadow_ownership.sh index e7c26cd..2e5ec7c 100755 --- a/bin/hardening/12.5_etc_shadow_ownership.sh +++ b/bin/hardening/12.5_etc_shadow_ownership.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/12.6_etc_group_ownership.sh b/bin/hardening/12.6_etc_group_ownership.sh index c2c0a88..e89d807 100755 --- a/bin/hardening/12.6_etc_group_ownership.sh +++ b/bin/hardening/12.6_etc_group_ownership.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/12.7_find_world_writable_file.sh b/bin/hardening/12.7_find_world_writable_file.sh index f530dd6..ec8d6f9 100755 --- a/bin/hardening/12.7_find_world_writable_file.sh +++ b/bin/hardening/12.7_find_world_writable_file.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/12.8_find_unowned_files.sh b/bin/hardening/12.8_find_unowned_files.sh index 7b1936c..db6858d 100755 --- a/bin/hardening/12.8_find_unowned_files.sh +++ b/bin/hardening/12.8_find_unowned_files.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/12.9_find_ungrouped_files.sh b/bin/hardening/12.9_find_ungrouped_files.sh index 3ccb671..f1ed3c5 100755 --- a/bin/hardening/12.9_find_ungrouped_files.sh +++ b/bin/hardening/12.9_find_ungrouped_files.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/13.10_find_user_rhosts_files.sh b/bin/hardening/13.10_find_user_rhosts_files.sh index 8fa7ea9..93aa00e 100755 --- a/bin/hardening/13.10_find_user_rhosts_files.sh +++ b/bin/hardening/13.10_find_user_rhosts_files.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/13.11_find_passwd_group_inconsistencies.sh b/bin/hardening/13.11_find_passwd_group_inconsistencies.sh index d16fed3..1ee48b1 100755 --- a/bin/hardening/13.11_find_passwd_group_inconsistencies.sh +++ b/bin/hardening/13.11_find_passwd_group_inconsistencies.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/13.12_users_valid_homedir.sh b/bin/hardening/13.12_users_valid_homedir.sh index e0fd8e9..f267331 100755 --- a/bin/hardening/13.12_users_valid_homedir.sh +++ b/bin/hardening/13.12_users_valid_homedir.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/13.13_check_user_homedir_ownership.sh b/bin/hardening/13.13_check_user_homedir_ownership.sh index 6adc24e..206f56b 100755 --- a/bin/hardening/13.13_check_user_homedir_ownership.sh +++ b/bin/hardening/13.13_check_user_homedir_ownership.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/13.14_check_duplicate_uid.sh b/bin/hardening/13.14_check_duplicate_uid.sh index fc79b7e..4de08fc 100755 --- a/bin/hardening/13.14_check_duplicate_uid.sh +++ b/bin/hardening/13.14_check_duplicate_uid.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/13.15_check_duplicate_gid.sh b/bin/hardening/13.15_check_duplicate_gid.sh index b07b5b7..1f93779 100755 --- a/bin/hardening/13.15_check_duplicate_gid.sh +++ b/bin/hardening/13.15_check_duplicate_gid.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/13.16_check_duplicate_username.sh b/bin/hardening/13.16_check_duplicate_username.sh index 172198b..6168eca 100755 --- a/bin/hardening/13.16_check_duplicate_username.sh +++ b/bin/hardening/13.16_check_duplicate_username.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/13.17_check_duplicate_groupname.sh b/bin/hardening/13.17_check_duplicate_groupname.sh index ab1e36b..a1a2824 100755 --- a/bin/hardening/13.17_check_duplicate_groupname.sh +++ b/bin/hardening/13.17_check_duplicate_groupname.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/13.18_find_user_netrc_files.sh b/bin/hardening/13.18_find_user_netrc_files.sh index 64986ce..414254b 100755 --- a/bin/hardening/13.18_find_user_netrc_files.sh +++ b/bin/hardening/13.18_find_user_netrc_files.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/13.19_find_user_forward_files.sh b/bin/hardening/13.19_find_user_forward_files.sh index eff76e3..8ff6648 100755 --- a/bin/hardening/13.19_find_user_forward_files.sh +++ b/bin/hardening/13.19_find_user_forward_files.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/13.1_remove_empty_password_field.sh b/bin/hardening/13.1_remove_empty_password_field.sh index 6c17732..469e84c 100755 --- a/bin/hardening/13.1_remove_empty_password_field.sh +++ b/bin/hardening/13.1_remove_empty_password_field.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/13.20_shadow_group_empty.sh b/bin/hardening/13.20_shadow_group_empty.sh index a65e1e8..dd23e41 100755 --- a/bin/hardening/13.20_shadow_group_empty.sh +++ b/bin/hardening/13.20_shadow_group_empty.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/13.2_remove_legacy_passwd_entries.sh b/bin/hardening/13.2_remove_legacy_passwd_entries.sh index 1ad0e75..5c4f341 100755 --- a/bin/hardening/13.2_remove_legacy_passwd_entries.sh +++ b/bin/hardening/13.2_remove_legacy_passwd_entries.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/13.3_remove_legacy_shadow_entries.sh b/bin/hardening/13.3_remove_legacy_shadow_entries.sh index e272c64..b88932b 100755 --- a/bin/hardening/13.3_remove_legacy_shadow_entries.sh +++ b/bin/hardening/13.3_remove_legacy_shadow_entries.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/13.4_remove_legacy_group_entries.sh b/bin/hardening/13.4_remove_legacy_group_entries.sh index 64c7cd4..5980c90 100755 --- a/bin/hardening/13.4_remove_legacy_group_entries.sh +++ b/bin/hardening/13.4_remove_legacy_group_entries.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/13.5_find_0_uid_non_root_account.sh b/bin/hardening/13.5_find_0_uid_non_root_account.sh index e6ab002..40e2173 100755 --- a/bin/hardening/13.5_find_0_uid_non_root_account.sh +++ b/bin/hardening/13.5_find_0_uid_non_root_account.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/13.6_sanitize_root_path.sh b/bin/hardening/13.6_sanitize_root_path.sh index 73f03ea..36178d4 100755 --- a/bin/hardening/13.6_sanitize_root_path.sh +++ b/bin/hardening/13.6_sanitize_root_path.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/13.7_check_user_dir_perm.sh b/bin/hardening/13.7_check_user_dir_perm.sh index bd8eb5f..c34a96d 100755 --- a/bin/hardening/13.7_check_user_dir_perm.sh +++ b/bin/hardening/13.7_check_user_dir_perm.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/13.8_check_user_dot_file_perm.sh b/bin/hardening/13.8_check_user_dot_file_perm.sh index 0f2024d..d00379e 100755 --- a/bin/hardening/13.8_check_user_dot_file_perm.sh +++ b/bin/hardening/13.8_check_user_dot_file_perm.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/13.9_set_perm_on_user_netrc.sh b/bin/hardening/13.9_set_perm_on_user_netrc.sh index 553e740..d6f8e8e 100755 --- a/bin/hardening/13.9_set_perm_on_user_netrc.sh +++ b/bin/hardening/13.9_set_perm_on_user_netrc.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.10_home_nodev.sh b/bin/hardening/2.10_home_nodev.sh index 75a36ed..1c8a414 100755 --- a/bin/hardening/2.10_home_nodev.sh +++ b/bin/hardening/2.10_home_nodev.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.11_removable_device_nodev.sh b/bin/hardening/2.11_removable_device_nodev.sh index 6015175..010a432 100755 --- a/bin/hardening/2.11_removable_device_nodev.sh +++ b/bin/hardening/2.11_removable_device_nodev.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.12_removable_device_noexec.sh b/bin/hardening/2.12_removable_device_noexec.sh index 15d64db..1258880 100755 --- a/bin/hardening/2.12_removable_device_noexec.sh +++ b/bin/hardening/2.12_removable_device_noexec.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.13_removable_device_nosuid.sh b/bin/hardening/2.13_removable_device_nosuid.sh index 6c64b41..351d94b 100755 --- a/bin/hardening/2.13_removable_device_nosuid.sh +++ b/bin/hardening/2.13_removable_device_nosuid.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.14_run_shm_nodev.sh b/bin/hardening/2.14_run_shm_nodev.sh index 5759c2d..d58d354 100755 --- a/bin/hardening/2.14_run_shm_nodev.sh +++ b/bin/hardening/2.14_run_shm_nodev.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.15_run_shm_nosuid.sh b/bin/hardening/2.15_run_shm_nosuid.sh index d5944eb..451944a 100755 --- a/bin/hardening/2.15_run_shm_nosuid.sh +++ b/bin/hardening/2.15_run_shm_nosuid.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.16_run_shm_noexec.sh b/bin/hardening/2.16_run_shm_noexec.sh index 3f94baf..9f111b5 100755 --- a/bin/hardening/2.16_run_shm_noexec.sh +++ b/bin/hardening/2.16_run_shm_noexec.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.17_sticky_bit_world_writable_folder.sh b/bin/hardening/2.17_sticky_bit_world_writable_folder.sh index 6fbf176..0183a36 100755 --- a/bin/hardening/2.17_sticky_bit_world_writable_folder.sh +++ b/bin/hardening/2.17_sticky_bit_world_writable_folder.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.18_disable_cramfs.sh b/bin/hardening/2.18_disable_cramfs.sh index 2fa2d47..9ddf758 100755 --- a/bin/hardening/2.18_disable_cramfs.sh +++ b/bin/hardening/2.18_disable_cramfs.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.19_disable_freevxfs.sh b/bin/hardening/2.19_disable_freevxfs.sh index e8e8429..65ce4cf 100755 --- a/bin/hardening/2.19_disable_freevxfs.sh +++ b/bin/hardening/2.19_disable_freevxfs.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.1_tmp_partition.sh b/bin/hardening/2.1_tmp_partition.sh index 5161cec..f2b5469 100755 --- a/bin/hardening/2.1_tmp_partition.sh +++ b/bin/hardening/2.1_tmp_partition.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.20_disable_jffs2.sh b/bin/hardening/2.20_disable_jffs2.sh index a567953..c2fe78d 100755 --- a/bin/hardening/2.20_disable_jffs2.sh +++ b/bin/hardening/2.20_disable_jffs2.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.21_disable_hfs.sh b/bin/hardening/2.21_disable_hfs.sh index 2f482e3..de679b2 100755 --- a/bin/hardening/2.21_disable_hfs.sh +++ b/bin/hardening/2.21_disable_hfs.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.22_disable_hfsplus.sh b/bin/hardening/2.22_disable_hfsplus.sh index 98d0d6e..3fede5a 100755 --- a/bin/hardening/2.22_disable_hfsplus.sh +++ b/bin/hardening/2.22_disable_hfsplus.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.23_disable_squashfs.sh b/bin/hardening/2.23_disable_squashfs.sh index 08c7fb9..37f8da3 100755 --- a/bin/hardening/2.23_disable_squashfs.sh +++ b/bin/hardening/2.23_disable_squashfs.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.24_disable_udf.sh b/bin/hardening/2.24_disable_udf.sh index e49ecb1..f429c38 100755 --- a/bin/hardening/2.24_disable_udf.sh +++ b/bin/hardening/2.24_disable_udf.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.25_disable_automounting.sh b/bin/hardening/2.25_disable_automounting.sh index 7b72cbb..1323bad 100755 --- a/bin/hardening/2.25_disable_automounting.sh +++ b/bin/hardening/2.25_disable_automounting.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.2_tmp_nodev.sh b/bin/hardening/2.2_tmp_nodev.sh index cd089a1..6b34d0f 100755 --- a/bin/hardening/2.2_tmp_nodev.sh +++ b/bin/hardening/2.2_tmp_nodev.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.3_tmp_nosuid.sh b/bin/hardening/2.3_tmp_nosuid.sh index 824eb34..a361ca7 100755 --- a/bin/hardening/2.3_tmp_nosuid.sh +++ b/bin/hardening/2.3_tmp_nosuid.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.4_tmp_noexec.sh b/bin/hardening/2.4_tmp_noexec.sh index 3971c4d..9d61da1 100755 --- a/bin/hardening/2.4_tmp_noexec.sh +++ b/bin/hardening/2.4_tmp_noexec.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.5_var_partition.sh b/bin/hardening/2.5_var_partition.sh index bba19c3..3a0fed6 100755 --- a/bin/hardening/2.5_var_partition.sh +++ b/bin/hardening/2.5_var_partition.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.6.1_var_tmp_partition.sh b/bin/hardening/2.6.1_var_tmp_partition.sh index 57dc4e2..1a1348b 100755 --- a/bin/hardening/2.6.1_var_tmp_partition.sh +++ b/bin/hardening/2.6.1_var_tmp_partition.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.6.2_var_tmp_nodev.sh b/bin/hardening/2.6.2_var_tmp_nodev.sh index 13df7e8..2be7322 100755 --- a/bin/hardening/2.6.2_var_tmp_nodev.sh +++ b/bin/hardening/2.6.2_var_tmp_nodev.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.6.3_var_tmp_nosuid.sh b/bin/hardening/2.6.3_var_tmp_nosuid.sh index 8e745af..992d8e6 100755 --- a/bin/hardening/2.6.3_var_tmp_nosuid.sh +++ b/bin/hardening/2.6.3_var_tmp_nosuid.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.6.4_var_tmp_noexec.sh b/bin/hardening/2.6.4_var_tmp_noexec.sh index 6f6cf4b..223477f 100755 --- a/bin/hardening/2.6.4_var_tmp_noexec.sh +++ b/bin/hardening/2.6.4_var_tmp_noexec.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.7_var_log_partition.sh b/bin/hardening/2.7_var_log_partition.sh index b05593a..32b2c74 100755 --- a/bin/hardening/2.7_var_log_partition.sh +++ b/bin/hardening/2.7_var_log_partition.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.8_var_log_audit_partition.sh b/bin/hardening/2.8_var_log_audit_partition.sh index 721d49a..9c7bf92 100755 --- a/bin/hardening/2.8_var_log_audit_partition.sh +++ b/bin/hardening/2.8_var_log_audit_partition.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/2.9_home_partition.sh b/bin/hardening/2.9_home_partition.sh index 3d3c2c5..04270db 100755 --- a/bin/hardening/2.9_home_partition.sh +++ b/bin/hardening/2.9_home_partition.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/3.1_bootloader_ownership.sh b/bin/hardening/3.1_bootloader_ownership.sh index b5f8ef2..044d2b0 100755 --- a/bin/hardening/3.1_bootloader_ownership.sh +++ b/bin/hardening/3.1_bootloader_ownership.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/3.2_bootloader_permissions.sh b/bin/hardening/3.2_bootloader_permissions.sh index faba57c..4bc0dec 100755 --- a/bin/hardening/3.2_bootloader_permissions.sh +++ b/bin/hardening/3.2_bootloader_permissions.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/3.3_bootloader_password.sh b/bin/hardening/3.3_bootloader_password.sh index 8443de7..05a9ab0 100755 --- a/bin/hardening/3.3_bootloader_password.sh +++ b/bin/hardening/3.3_bootloader_password.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/3.4_root_password.sh b/bin/hardening/3.4_root_password.sh index 9bef628..f37bfb0 100755 --- a/bin/hardening/3.4_root_password.sh +++ b/bin/hardening/3.4_root_password.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/4.1_restrict_core_dumps.sh b/bin/hardening/4.1_restrict_core_dumps.sh index c59526d..7f6a4b6 100755 --- a/bin/hardening/4.1_restrict_core_dumps.sh +++ b/bin/hardening/4.1_restrict_core_dumps.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/4.2_enable_nx_support.sh b/bin/hardening/4.2_enable_nx_support.sh index 1a86838..d5c4962 100755 --- a/bin/hardening/4.2_enable_nx_support.sh +++ b/bin/hardening/4.2_enable_nx_support.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/4.3_enable_randomized_vm_placement.sh b/bin/hardening/4.3_enable_randomized_vm_placement.sh index 03a7f71..ded11c1 100755 --- a/bin/hardening/4.3_enable_randomized_vm_placement.sh +++ b/bin/hardening/4.3_enable_randomized_vm_placement.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/4.4_disable_prelink.sh b/bin/hardening/4.4_disable_prelink.sh index a0b9549..3770a6b 100755 --- a/bin/hardening/4.4_disable_prelink.sh +++ b/bin/hardening/4.4_disable_prelink.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/4.5_enable_apparmor.sh b/bin/hardening/4.5_enable_apparmor.sh index 4714fbf..88b7bbc 100755 --- a/bin/hardening/4.5_enable_apparmor.sh +++ b/bin/hardening/4.5_enable_apparmor.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.1.1_disable_nis.sh b/bin/hardening/5.1.1_disable_nis.sh index 01cf8d7..ddabc5b 100755 --- a/bin/hardening/5.1.1_disable_nis.sh +++ b/bin/hardening/5.1.1_disable_nis.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.1.2_disable_rsh.sh b/bin/hardening/5.1.2_disable_rsh.sh index 3b6d3e5..802ab4b 100755 --- a/bin/hardening/5.1.2_disable_rsh.sh +++ b/bin/hardening/5.1.2_disable_rsh.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.1.3_disable_rsh_client.sh b/bin/hardening/5.1.3_disable_rsh_client.sh index 15d0b6d..679093a 100755 --- a/bin/hardening/5.1.3_disable_rsh_client.sh +++ b/bin/hardening/5.1.3_disable_rsh_client.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.1.4_disable_talk.sh b/bin/hardening/5.1.4_disable_talk.sh index e283fec..ffd320b 100755 --- a/bin/hardening/5.1.4_disable_talk.sh +++ b/bin/hardening/5.1.4_disable_talk.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.1.5_disable_talk_client.sh b/bin/hardening/5.1.5_disable_talk_client.sh index c6f4b10..3e5c927 100755 --- a/bin/hardening/5.1.5_disable_talk_client.sh +++ b/bin/hardening/5.1.5_disable_talk_client.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.1.6_disable_telnet_server.sh b/bin/hardening/5.1.6_disable_telnet_server.sh index 61b19eb..9d7b3f6 100755 --- a/bin/hardening/5.1.6_disable_telnet_server.sh +++ b/bin/hardening/5.1.6_disable_telnet_server.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.1.7_disable_tftp_server.sh b/bin/hardening/5.1.7_disable_tftp_server.sh index ae17ef1..0c39f26 100755 --- a/bin/hardening/5.1.7_disable_tftp_server.sh +++ b/bin/hardening/5.1.7_disable_tftp_server.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.1.8_disable_inetd.sh b/bin/hardening/5.1.8_disable_inetd.sh index 9a1bd52..bad5b8c 100755 --- a/bin/hardening/5.1.8_disable_inetd.sh +++ b/bin/hardening/5.1.8_disable_inetd.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.2_disable_chargen.sh b/bin/hardening/5.2_disable_chargen.sh index 9fdc3c1..2ce2870 100755 --- a/bin/hardening/5.2_disable_chargen.sh +++ b/bin/hardening/5.2_disable_chargen.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.3_disable_daytime.sh b/bin/hardening/5.3_disable_daytime.sh index 8509fd1..cb12750 100755 --- a/bin/hardening/5.3_disable_daytime.sh +++ b/bin/hardening/5.3_disable_daytime.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.4_disable_echo.sh b/bin/hardening/5.4_disable_echo.sh index 0113670..d899e8f 100755 --- a/bin/hardening/5.4_disable_echo.sh +++ b/bin/hardening/5.4_disable_echo.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.5_disable_discard.sh b/bin/hardening/5.5_disable_discard.sh index 77601fa..0fce91d 100755 --- a/bin/hardening/5.5_disable_discard.sh +++ b/bin/hardening/5.5_disable_discard.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/5.6_disable_time.sh b/bin/hardening/5.6_disable_time.sh index 106dc69..0267904 100755 --- a/bin/hardening/5.6_disable_time.sh +++ b/bin/hardening/5.6_disable_time.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.10_disable_http_server.sh b/bin/hardening/6.10_disable_http_server.sh index 8909daa..72d3076 100755 --- a/bin/hardening/6.10_disable_http_server.sh +++ b/bin/hardening/6.10_disable_http_server.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.11_disable_imap_pop.sh b/bin/hardening/6.11_disable_imap_pop.sh index a7dec19..9d4b82d 100755 --- a/bin/hardening/6.11_disable_imap_pop.sh +++ b/bin/hardening/6.11_disable_imap_pop.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.12_disable_samba.sh b/bin/hardening/6.12_disable_samba.sh index b696c4e..d635a34 100755 --- a/bin/hardening/6.12_disable_samba.sh +++ b/bin/hardening/6.12_disable_samba.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.13_diable_http_proxy.sh b/bin/hardening/6.13_diable_http_proxy.sh index c923be9..b1a4b29 100755 --- a/bin/hardening/6.13_diable_http_proxy.sh +++ b/bin/hardening/6.13_diable_http_proxy.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.14_disable_snmp_server.sh b/bin/hardening/6.14_disable_snmp_server.sh index 6754f73..6eceacb 100755 --- a/bin/hardening/6.14_disable_snmp_server.sh +++ b/bin/hardening/6.14_disable_snmp_server.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.15_mta_localhost.sh b/bin/hardening/6.15_mta_localhost.sh index 4651471..e08325c 100755 --- a/bin/hardening/6.15_mta_localhost.sh +++ b/bin/hardening/6.15_mta_localhost.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.16_disable_rsync.sh b/bin/hardening/6.16_disable_rsync.sh index 5007e13..5b9800d 100755 --- a/bin/hardening/6.16_disable_rsync.sh +++ b/bin/hardening/6.16_disable_rsync.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.1_disable_xwindow_system.sh b/bin/hardening/6.1_disable_xwindow_system.sh index 65ae917..bd30e09 100755 --- a/bin/hardening/6.1_disable_xwindow_system.sh +++ b/bin/hardening/6.1_disable_xwindow_system.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.2_disable_avahi_server.sh b/bin/hardening/6.2_disable_avahi_server.sh index d548b90..7a4a13a 100755 --- a/bin/hardening/6.2_disable_avahi_server.sh +++ b/bin/hardening/6.2_disable_avahi_server.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.3_disable_print_server.sh b/bin/hardening/6.3_disable_print_server.sh index 80224a4..2a606f9 100755 --- a/bin/hardening/6.3_disable_print_server.sh +++ b/bin/hardening/6.3_disable_print_server.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.4_disable_dhcp.sh b/bin/hardening/6.4_disable_dhcp.sh index 4cd9d48..dcf76d9 100755 --- a/bin/hardening/6.4_disable_dhcp.sh +++ b/bin/hardening/6.4_disable_dhcp.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.5_configure_ntp.sh b/bin/hardening/6.5_configure_ntp.sh index cad9deb..df3c861 100755 --- a/bin/hardening/6.5_configure_ntp.sh +++ b/bin/hardening/6.5_configure_ntp.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.6_diable_ldap.sh b/bin/hardening/6.6_diable_ldap.sh index 75bf546..9fb4f35 100755 --- a/bin/hardening/6.6_diable_ldap.sh +++ b/bin/hardening/6.6_diable_ldap.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.7_disable_nfs_rpc.sh b/bin/hardening/6.7_disable_nfs_rpc.sh index 2c0a0d0..d1f0d00 100755 --- a/bin/hardening/6.7_disable_nfs_rpc.sh +++ b/bin/hardening/6.7_disable_nfs_rpc.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.8_disable_dns_server.sh b/bin/hardening/6.8_disable_dns_server.sh index a2bcbac..492a9bb 100755 --- a/bin/hardening/6.8_disable_dns_server.sh +++ b/bin/hardening/6.8_disable_dns_server.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/6.9_disable_ftp.sh b/bin/hardening/6.9_disable_ftp.sh index ea58eaf..579f933 100755 --- a/bin/hardening/6.9_disable_ftp.sh +++ b/bin/hardening/6.9_disable_ftp.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.1.1_disable_ip_forwarding.sh b/bin/hardening/7.1.1_disable_ip_forwarding.sh index 47ef9d9..24ef503 100755 --- a/bin/hardening/7.1.1_disable_ip_forwarding.sh +++ b/bin/hardening/7.1.1_disable_ip_forwarding.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.1.2_disable_send_packet_redirects.sh b/bin/hardening/7.1.2_disable_send_packet_redirects.sh index 2fcd772..f608988 100755 --- a/bin/hardening/7.1.2_disable_send_packet_redirects.sh +++ b/bin/hardening/7.1.2_disable_send_packet_redirects.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.2.1_disable_source_routed_packets.sh b/bin/hardening/7.2.1_disable_source_routed_packets.sh index 521e14b..660d374 100755 --- a/bin/hardening/7.2.1_disable_source_routed_packets.sh +++ b/bin/hardening/7.2.1_disable_source_routed_packets.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.2.2_disable_icmp_redirect.sh b/bin/hardening/7.2.2_disable_icmp_redirect.sh index 9b29b30..7ac408c 100755 --- a/bin/hardening/7.2.2_disable_icmp_redirect.sh +++ b/bin/hardening/7.2.2_disable_icmp_redirect.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.2.3_disable_secure_icmp_redirect.sh b/bin/hardening/7.2.3_disable_secure_icmp_redirect.sh index 0ab668e..1f0b405 100755 --- a/bin/hardening/7.2.3_disable_secure_icmp_redirect.sh +++ b/bin/hardening/7.2.3_disable_secure_icmp_redirect.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.2.4_log_martian_packets.sh b/bin/hardening/7.2.4_log_martian_packets.sh index 464fa36..b8a48bb 100755 --- a/bin/hardening/7.2.4_log_martian_packets.sh +++ b/bin/hardening/7.2.4_log_martian_packets.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.2.5_ignore_broadcast_requests.sh b/bin/hardening/7.2.5_ignore_broadcast_requests.sh index 56475b1..dab592b 100755 --- a/bin/hardening/7.2.5_ignore_broadcast_requests.sh +++ b/bin/hardening/7.2.5_ignore_broadcast_requests.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.2.6_enable_bad_error_message_protection.sh b/bin/hardening/7.2.6_enable_bad_error_message_protection.sh index c964383..43a7747 100755 --- a/bin/hardening/7.2.6_enable_bad_error_message_protection.sh +++ b/bin/hardening/7.2.6_enable_bad_error_message_protection.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.2.7_enable_source_route_validation.sh b/bin/hardening/7.2.7_enable_source_route_validation.sh index 5a7e8d8..1391ce7 100755 --- a/bin/hardening/7.2.7_enable_source_route_validation.sh +++ b/bin/hardening/7.2.7_enable_source_route_validation.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.2.8_enable_tcp_syn_cookies.sh b/bin/hardening/7.2.8_enable_tcp_syn_cookies.sh index 69503fb..8d2da10 100755 --- a/bin/hardening/7.2.8_enable_tcp_syn_cookies.sh +++ b/bin/hardening/7.2.8_enable_tcp_syn_cookies.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh b/bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh index 5903ad7..173a289 100755 --- a/bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh +++ b/bin/hardening/7.3.1_disable_ipv6_router_advertisement.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.3.2_disable_ipv6_redirect.sh b/bin/hardening/7.3.2_disable_ipv6_redirect.sh index 594bbd3..7f858be 100755 --- a/bin/hardening/7.3.2_disable_ipv6_redirect.sh +++ b/bin/hardening/7.3.2_disable_ipv6_redirect.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.3.3_disable_ipv6.sh b/bin/hardening/7.3.3_disable_ipv6.sh index a1a325d..22a087d 100755 --- a/bin/hardening/7.3.3_disable_ipv6.sh +++ b/bin/hardening/7.3.3_disable_ipv6.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.4.1_install_tcp_wrapper.sh b/bin/hardening/7.4.1_install_tcp_wrapper.sh index 751eeda..ad564d2 100755 --- a/bin/hardening/7.4.1_install_tcp_wrapper.sh +++ b/bin/hardening/7.4.1_install_tcp_wrapper.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.4.2_hosts_allow.sh b/bin/hardening/7.4.2_hosts_allow.sh index a0de311..4d0c808 100755 --- a/bin/hardening/7.4.2_hosts_allow.sh +++ b/bin/hardening/7.4.2_hosts_allow.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.4.3_hosts_allow_permissions.sh b/bin/hardening/7.4.3_hosts_allow_permissions.sh index a6536ae..6f0fea4 100755 --- a/bin/hardening/7.4.3_hosts_allow_permissions.sh +++ b/bin/hardening/7.4.3_hosts_allow_permissions.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.4.4_hosts_deny.sh b/bin/hardening/7.4.4_hosts_deny.sh index 7403589..1649115 100755 --- a/bin/hardening/7.4.4_hosts_deny.sh +++ b/bin/hardening/7.4.4_hosts_deny.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.4.5_hosts_deny_permissions.sh b/bin/hardening/7.4.5_hosts_deny_permissions.sh index 50aae37..933a7c6 100755 --- a/bin/hardening/7.4.5_hosts_deny_permissions.sh +++ b/bin/hardening/7.4.5_hosts_deny_permissions.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.5.1_disable_dccp.sh b/bin/hardening/7.5.1_disable_dccp.sh index b159a29..bad110c 100755 --- a/bin/hardening/7.5.1_disable_dccp.sh +++ b/bin/hardening/7.5.1_disable_dccp.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.5.2_disable_sctp.sh b/bin/hardening/7.5.2_disable_sctp.sh index d521282..bf4bb75 100755 --- a/bin/hardening/7.5.2_disable_sctp.sh +++ b/bin/hardening/7.5.2_disable_sctp.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.5.3_disable_rds.sh b/bin/hardening/7.5.3_disable_rds.sh index 061a653..78ee539 100755 --- a/bin/hardening/7.5.3_disable_rds.sh +++ b/bin/hardening/7.5.3_disable_rds.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.5.4_disable_tipc.sh b/bin/hardening/7.5.4_disable_tipc.sh index db8dc27..f0e8a26 100755 --- a/bin/hardening/7.5.4_disable_tipc.sh +++ b/bin/hardening/7.5.4_disable_tipc.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.6_disable_wireless.sh b/bin/hardening/7.6_disable_wireless.sh index d792361..f782b01 100755 --- a/bin/hardening/7.6_disable_wireless.sh +++ b/bin/hardening/7.6_disable_wireless.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/7.7_enable_firewall.sh b/bin/hardening/7.7_enable_firewall.sh index 999fb2e..82af538 100755 --- a/bin/hardening/7.7_enable_firewall.sh +++ b/bin/hardening/7.7_enable_firewall.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.0_enable_auditd_kernel.sh b/bin/hardening/8.0_enable_auditd_kernel.sh index 03229c6..02da848 100755 --- a/bin/hardening/8.0_enable_auditd_kernel.sh +++ b/bin/hardening/8.0_enable_auditd_kernel.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.1.1.1_audit_log_storage.sh b/bin/hardening/8.1.1.1_audit_log_storage.sh index 369c4c7..b9817f8 100755 --- a/bin/hardening/8.1.1.1_audit_log_storage.sh +++ b/bin/hardening/8.1.1.1_audit_log_storage.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh b/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh index df21b6f..2c5fd88 100755 --- a/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh +++ b/bin/hardening/8.1.1.2_halt_when_audit_log_full.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.1.1.3_keep_all_audit_logs.sh b/bin/hardening/8.1.1.3_keep_all_audit_logs.sh index c83a005..cca57ab 100755 --- a/bin/hardening/8.1.1.3_keep_all_audit_logs.sh +++ b/bin/hardening/8.1.1.3_keep_all_audit_logs.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.1.10_record_dac_edit.sh b/bin/hardening/8.1.10_record_dac_edit.sh index 88d8fee..69ef81c 100755 --- a/bin/hardening/8.1.10_record_dac_edit.sh +++ b/bin/hardening/8.1.10_record_dac_edit.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.1.11_record_failed_access_file.sh b/bin/hardening/8.1.11_record_failed_access_file.sh index 1069c0c..c7e1c3a 100755 --- a/bin/hardening/8.1.11_record_failed_access_file.sh +++ b/bin/hardening/8.1.11_record_failed_access_file.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.1.12_record_privileged_commands.sh b/bin/hardening/8.1.12_record_privileged_commands.sh index 1b38815..d067596 100755 --- a/bin/hardening/8.1.12_record_privileged_commands.sh +++ b/bin/hardening/8.1.12_record_privileged_commands.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.1.13_record_successful_mount.sh b/bin/hardening/8.1.13_record_successful_mount.sh index 9a23678..8e64cdc 100755 --- a/bin/hardening/8.1.13_record_successful_mount.sh +++ b/bin/hardening/8.1.13_record_successful_mount.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.1.14_record_file_deletions.sh b/bin/hardening/8.1.14_record_file_deletions.sh index ba4e0a4..2b3cf19 100755 --- a/bin/hardening/8.1.14_record_file_deletions.sh +++ b/bin/hardening/8.1.14_record_file_deletions.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.1.15_record_sudoers_edit.sh b/bin/hardening/8.1.15_record_sudoers_edit.sh index 4701849..9fc5215 100755 --- a/bin/hardening/8.1.15_record_sudoers_edit.sh +++ b/bin/hardening/8.1.15_record_sudoers_edit.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.1.16_record_sudo_usage.sh b/bin/hardening/8.1.16_record_sudo_usage.sh index 021d08b..c3c87e5 100755 --- a/bin/hardening/8.1.16_record_sudo_usage.sh +++ b/bin/hardening/8.1.16_record_sudo_usage.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.1.17_record_kernel_modules.sh b/bin/hardening/8.1.17_record_kernel_modules.sh index 06128d8..eac57af 100755 --- a/bin/hardening/8.1.17_record_kernel_modules.sh +++ b/bin/hardening/8.1.17_record_kernel_modules.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.1.18_freeze_auditd_conf.sh b/bin/hardening/8.1.18_freeze_auditd_conf.sh index 0b20cbc..335b044 100755 --- a/bin/hardening/8.1.18_freeze_auditd_conf.sh +++ b/bin/hardening/8.1.18_freeze_auditd_conf.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.1.2_enable_auditd.sh b/bin/hardening/8.1.2_enable_auditd.sh index 02962e9..a2c3472 100755 --- a/bin/hardening/8.1.2_enable_auditd.sh +++ b/bin/hardening/8.1.2_enable_auditd.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.1.3_audit_bootloader.sh b/bin/hardening/8.1.3_audit_bootloader.sh index 7a8f5e3..9914a58 100755 --- a/bin/hardening/8.1.3_audit_bootloader.sh +++ b/bin/hardening/8.1.3_audit_bootloader.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.1.4_record_date_time_edit.sh b/bin/hardening/8.1.4_record_date_time_edit.sh index f1ac82b..f2f5f29 100755 --- a/bin/hardening/8.1.4_record_date_time_edit.sh +++ b/bin/hardening/8.1.4_record_date_time_edit.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.1.5_record_user_group_edit.sh b/bin/hardening/8.1.5_record_user_group_edit.sh index e181316..706f4bb 100755 --- a/bin/hardening/8.1.5_record_user_group_edit.sh +++ b/bin/hardening/8.1.5_record_user_group_edit.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.1.6_record_network_edit.sh b/bin/hardening/8.1.6_record_network_edit.sh index b6385e6..4e0c718 100755 --- a/bin/hardening/8.1.6_record_network_edit.sh +++ b/bin/hardening/8.1.6_record_network_edit.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.1.7_record_mac_edit.sh b/bin/hardening/8.1.7_record_mac_edit.sh index 41b8e98..78f0bff 100755 --- a/bin/hardening/8.1.7_record_mac_edit.sh +++ b/bin/hardening/8.1.7_record_mac_edit.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.1.8_record_login_logout.sh b/bin/hardening/8.1.8_record_login_logout.sh index 8949f90..7d35a38 100755 --- a/bin/hardening/8.1.8_record_login_logout.sh +++ b/bin/hardening/8.1.8_record_login_logout.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.1.9_record_session_init.sh b/bin/hardening/8.1.9_record_session_init.sh index c2d0474..b939105 100755 --- a/bin/hardening/8.1.9_record_session_init.sh +++ b/bin/hardening/8.1.9_record_session_init.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.2.1_install_syslog-ng.sh b/bin/hardening/8.2.1_install_syslog-ng.sh index 572f274..aa56a5f 100755 --- a/bin/hardening/8.2.1_install_syslog-ng.sh +++ b/bin/hardening/8.2.1_install_syslog-ng.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.2.2_enable_syslog-ng.sh b/bin/hardening/8.2.2_enable_syslog-ng.sh index 548d576..9b08561 100755 --- a/bin/hardening/8.2.2_enable_syslog-ng.sh +++ b/bin/hardening/8.2.2_enable_syslog-ng.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.2.3_configure_syslog-ng.sh b/bin/hardening/8.2.3_configure_syslog-ng.sh index 423e0e2..ae0351f 100755 --- a/bin/hardening/8.2.3_configure_syslog-ng.sh +++ b/bin/hardening/8.2.3_configure_syslog-ng.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.2.4_set_logfile_perm.sh b/bin/hardening/8.2.4_set_logfile_perm.sh index f2efcf5..cd48564 100755 --- a/bin/hardening/8.2.4_set_logfile_perm.sh +++ b/bin/hardening/8.2.4_set_logfile_perm.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.2.5_syslog-ng_remote_host.sh b/bin/hardening/8.2.5_syslog-ng_remote_host.sh index 50e1729..5f5e942 100755 --- a/bin/hardening/8.2.5_syslog-ng_remote_host.sh +++ b/bin/hardening/8.2.5_syslog-ng_remote_host.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.2.6_remote_syslog-ng_acl.sh b/bin/hardening/8.2.6_remote_syslog-ng_acl.sh index c307c73..0c80c3f 100755 --- a/bin/hardening/8.2.6_remote_syslog-ng_acl.sh +++ b/bin/hardening/8.2.6_remote_syslog-ng_acl.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.3.1_install_tripwire.sh b/bin/hardening/8.3.1_install_tripwire.sh index d3ec4d6..6bc85c9 100755 --- a/bin/hardening/8.3.1_install_tripwire.sh +++ b/bin/hardening/8.3.1_install_tripwire.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.3.2_tripwire_cron.sh b/bin/hardening/8.3.2_tripwire_cron.sh index b6758a9..c119a08 100755 --- a/bin/hardening/8.3.2_tripwire_cron.sh +++ b/bin/hardening/8.3.2_tripwire_cron.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/8.4_configure_logrotate.sh b/bin/hardening/8.4_configure_logrotate.sh index 88ad028..8f93e73 100755 --- a/bin/hardening/8.4_configure_logrotate.sh +++ b/bin/hardening/8.4_configure_logrotate.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.1.1_enable_cron.sh b/bin/hardening/9.1.1_enable_cron.sh index 33eb86d..6dc1ce5 100755 --- a/bin/hardening/9.1.1_enable_cron.sh +++ b/bin/hardening/9.1.1_enable_cron.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.1.2_crontab_perm_ownership.sh b/bin/hardening/9.1.2_crontab_perm_ownership.sh index e378b56..b3ecd62 100755 --- a/bin/hardening/9.1.2_crontab_perm_ownership.sh +++ b/bin/hardening/9.1.2_crontab_perm_ownership.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh b/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh index 49d1c6b..25595a9 100755 --- a/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh +++ b/bin/hardening/9.1.3_cron_hourly_perm_ownership.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.1.4_cron_daily_perm_ownership.sh b/bin/hardening/9.1.4_cron_daily_perm_ownership.sh index 75f43cf..122ec4a 100755 --- a/bin/hardening/9.1.4_cron_daily_perm_ownership.sh +++ b/bin/hardening/9.1.4_cron_daily_perm_ownership.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh b/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh index cb03ec0..21bca7c 100755 --- a/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh +++ b/bin/hardening/9.1.5_cron_weekly_perm_ownership.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh b/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh index 9b531fd..38a8bd1 100755 --- a/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh +++ b/bin/hardening/9.1.6_cron_monthly_perm_ownership.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.1.7_cron_d_perm_ownership.sh b/bin/hardening/9.1.7_cron_d_perm_ownership.sh index 2d1399c..bca5fb9 100755 --- a/bin/hardening/9.1.7_cron_d_perm_ownership.sh +++ b/bin/hardening/9.1.7_cron_d_perm_ownership.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.1.8_cron_users.sh b/bin/hardening/9.1.8_cron_users.sh index ed15ed0..2706b5e 100755 --- a/bin/hardening/9.1.8_cron_users.sh +++ b/bin/hardening/9.1.8_cron_users.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.2.1_enable_cracklib.sh b/bin/hardening/9.2.1_enable_cracklib.sh index 464305d..0f0eb5e 100755 --- a/bin/hardening/9.2.1_enable_cracklib.sh +++ b/bin/hardening/9.2.1_enable_cracklib.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.2.2_enable_lockout_failed_password.sh b/bin/hardening/9.2.2_enable_lockout_failed_password.sh index 6215780..4144119 100755 --- a/bin/hardening/9.2.2_enable_lockout_failed_password.sh +++ b/bin/hardening/9.2.2_enable_lockout_failed_password.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.2.3_limit_password_reuse.sh b/bin/hardening/9.2.3_limit_password_reuse.sh index b70ed54..2b81158 100755 --- a/bin/hardening/9.2.3_limit_password_reuse.sh +++ b/bin/hardening/9.2.3_limit_password_reuse.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.3.10_disable_sshd_setenv.sh b/bin/hardening/9.3.10_disable_sshd_setenv.sh index a4c072b..e0f9d5f 100755 --- a/bin/hardening/9.3.10_disable_sshd_setenv.sh +++ b/bin/hardening/9.3.10_disable_sshd_setenv.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.3.11_sshd_ciphers.sh b/bin/hardening/9.3.11_sshd_ciphers.sh index 21b5d24..4836119 100755 --- a/bin/hardening/9.3.11_sshd_ciphers.sh +++ b/bin/hardening/9.3.11_sshd_ciphers.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.3.12_sshd_idle_timeout.sh b/bin/hardening/9.3.12_sshd_idle_timeout.sh index e888c8b..94e4da2 100755 --- a/bin/hardening/9.3.12_sshd_idle_timeout.sh +++ b/bin/hardening/9.3.12_sshd_idle_timeout.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.3.13_sshd_limit_access.sh b/bin/hardening/9.3.13_sshd_limit_access.sh index 6446cfa..f6475f8 100755 --- a/bin/hardening/9.3.13_sshd_limit_access.sh +++ b/bin/hardening/9.3.13_sshd_limit_access.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.3.14_ssh_banner.sh b/bin/hardening/9.3.14_ssh_banner.sh index 8df24fa..b44a310 100755 --- a/bin/hardening/9.3.14_ssh_banner.sh +++ b/bin/hardening/9.3.14_ssh_banner.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.3.1_sshd_protocol.sh b/bin/hardening/9.3.1_sshd_protocol.sh index 167b167..ad0c5f3 100755 --- a/bin/hardening/9.3.1_sshd_protocol.sh +++ b/bin/hardening/9.3.1_sshd_protocol.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.3.2_sshd_loglevel.sh b/bin/hardening/9.3.2_sshd_loglevel.sh index 8114340..b15af1b 100755 --- a/bin/hardening/9.3.2_sshd_loglevel.sh +++ b/bin/hardening/9.3.2_sshd_loglevel.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.3.3_sshd_conf_perm_ownership.sh b/bin/hardening/9.3.3_sshd_conf_perm_ownership.sh index ca23cf7..0acef81 100755 --- a/bin/hardening/9.3.3_sshd_conf_perm_ownership.sh +++ b/bin/hardening/9.3.3_sshd_conf_perm_ownership.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.3.4_disable_x11_forwarding.sh b/bin/hardening/9.3.4_disable_x11_forwarding.sh index 5b3b2ae..57df8d5 100755 --- a/bin/hardening/9.3.4_disable_x11_forwarding.sh +++ b/bin/hardening/9.3.4_disable_x11_forwarding.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.3.5_sshd_maxauthtries.sh b/bin/hardening/9.3.5_sshd_maxauthtries.sh index 79a6f40..00db940 100755 --- a/bin/hardening/9.3.5_sshd_maxauthtries.sh +++ b/bin/hardening/9.3.5_sshd_maxauthtries.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh b/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh index bc550a6..e74c30c 100755 --- a/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh +++ b/bin/hardening/9.3.6_enable_sshd_ignorerhosts.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh b/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh index faa23d4..4ae0486 100755 --- a/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh +++ b/bin/hardening/9.3.7_disable_sshd_hostbasedauthentication.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.3.8_disable_root_login.sh b/bin/hardening/9.3.8_disable_root_login.sh index 96df935..890e636 100755 --- a/bin/hardening/9.3.8_disable_root_login.sh +++ b/bin/hardening/9.3.8_disable_root_login.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh b/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh index 383ca48..bda4337 100755 --- a/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh +++ b/bin/hardening/9.3.9_disable_sshd_permitemptypasswords.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.4_secure_tty.sh b/bin/hardening/9.4_secure_tty.sh index ddeb0d9..e809230 100755 --- a/bin/hardening/9.4_secure_tty.sh +++ b/bin/hardening/9.4_secure_tty.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/9.5_restrict_su.sh b/bin/hardening/9.5_restrict_su.sh index 90737da..e79f726 100755 --- a/bin/hardening/9.5_restrict_su.sh +++ b/bin/hardening/9.5_restrict_su.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/99.1_timeout_tty.sh b/bin/hardening/99.1_timeout_tty.sh index d4bcfb1..9c14f24 100755 --- a/bin/hardening/99.1_timeout_tty.sh +++ b/bin/hardening/99.1_timeout_tty.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening /!\ Not in the Guide -# Authors : Thibault Dewailly, OVH # # diff --git a/bin/hardening/99.2_disable_usb_devices.sh b/bin/hardening/99.2_disable_usb_devices.sh index 97077ae..9c40d04 100755 --- a/bin/hardening/99.2_disable_usb_devices.sh +++ b/bin/hardening/99.2_disable_usb_devices.sh @@ -2,7 +2,6 @@ # # CIS Debian 7 Hardening /!\ Not in the Guide -# Authors : Thibault Dewailly, OVH # # diff --git a/etc/conf.d/1.1_install_updates.cfg b/etc/conf.d/1.1_install_updates.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/1.1_install_updates.cfg +++ b/etc/conf.d/1.1_install_updates.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/10.1.1_set_password_exp_days.cfg b/etc/conf.d/10.1.1_set_password_exp_days.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/10.1.1_set_password_exp_days.cfg +++ b/etc/conf.d/10.1.1_set_password_exp_days.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/10.1.2_set_password_min_days_change.cfg b/etc/conf.d/10.1.2_set_password_min_days_change.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/10.1.2_set_password_min_days_change.cfg +++ b/etc/conf.d/10.1.2_set_password_min_days_change.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/10.1.3_set_password_exp_warning_days.cfg b/etc/conf.d/10.1.3_set_password_exp_warning_days.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/10.1.3_set_password_exp_warning_days.cfg +++ b/etc/conf.d/10.1.3_set_password_exp_warning_days.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/10.2_disable_system_accounts.cfg b/etc/conf.d/10.2_disable_system_accounts.cfg index 3ddfab4..984069e 100644 --- a/etc/conf.d/10.2_disable_system_accounts.cfg +++ b/etc/conf.d/10.2_disable_system_accounts.cfg @@ -1,4 +1,4 @@ # Configuration for script of same name -status=enabled +status=disabled # Put here your exceptions concerning admin accounts shells separated by spaces EXCEPTIONS="" diff --git a/etc/conf.d/10.3_default_root_group.cfg b/etc/conf.d/10.3_default_root_group.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/10.3_default_root_group.cfg +++ b/etc/conf.d/10.3_default_root_group.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/10.4_default_umask.cfg b/etc/conf.d/10.4_default_umask.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/10.4_default_umask.cfg +++ b/etc/conf.d/10.4_default_umask.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/10.5_lock_inactive_user_account.cfg b/etc/conf.d/10.5_lock_inactive_user_account.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/10.5_lock_inactive_user_account.cfg +++ b/etc/conf.d/10.5_lock_inactive_user_account.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/11.1_warning_banners.cfg b/etc/conf.d/11.1_warning_banners.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/11.1_warning_banners.cfg +++ b/etc/conf.d/11.1_warning_banners.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/11.2_remove_os_info_warning_banners.cfg b/etc/conf.d/11.2_remove_os_info_warning_banners.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/11.2_remove_os_info_warning_banners.cfg +++ b/etc/conf.d/11.2_remove_os_info_warning_banners.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/11.3_graphical_warning_banners.cfg b/etc/conf.d/11.3_graphical_warning_banners.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/11.3_graphical_warning_banners.cfg +++ b/etc/conf.d/11.3_graphical_warning_banners.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/12.10_find_suid_files.cfg b/etc/conf.d/12.10_find_suid_files.cfg index 329e0ff..102c278 100644 --- a/etc/conf.d/12.10_find_suid_files.cfg +++ b/etc/conf.d/12.10_find_suid_files.cfg @@ -1,5 +1,5 @@ # Configuration for script of same name -status=enabled +status=disabled # Put Here your valid suid binaries so that they do not appear during the audit EXCEPTIONS="/bin/mount /bin/ping /bin/ping6 /bin/su /bin/umount /usr/bin/chfn /usr/bin/chsh /usr/bin/fping /usr/bin/fping6 /usr/bin/gpasswd /usr/bin/mtr /usr/bin/newgrp /usr/bin/passwd /usr/bin/sudo /usr/bin/sudoedit /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown" diff --git a/etc/conf.d/12.11_find_sgid_files.cfg b/etc/conf.d/12.11_find_sgid_files.cfg index 09b501c..066ca9e 100644 --- a/etc/conf.d/12.11_find_sgid_files.cfg +++ b/etc/conf.d/12.11_find_sgid_files.cfg @@ -1,4 +1,4 @@ # Configuration for script of same name -status=enabled +status=disabled # Put here valid binaries with sgid enabled separated by spaces EXCEPTIONS="/sbin/unix_chkpwd /usr/bin/bsd-write /usr/bin/chage /usr/bin/crontab /usr/bin/expiry /usr/bin/mutt_dotlock /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/sbin/postdrop /usr/sbin/postqueue" diff --git a/etc/conf.d/12.1_etc_passwd_permissions.cfg b/etc/conf.d/12.1_etc_passwd_permissions.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/12.1_etc_passwd_permissions.cfg +++ b/etc/conf.d/12.1_etc_passwd_permissions.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/12.2_etc_shadow_permissions.cfg b/etc/conf.d/12.2_etc_shadow_permissions.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/12.2_etc_shadow_permissions.cfg +++ b/etc/conf.d/12.2_etc_shadow_permissions.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/12.3_etc_group_permissions.cfg b/etc/conf.d/12.3_etc_group_permissions.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/12.3_etc_group_permissions.cfg +++ b/etc/conf.d/12.3_etc_group_permissions.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/12.4_etc_passwd_ownership.cfg b/etc/conf.d/12.4_etc_passwd_ownership.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/12.4_etc_passwd_ownership.cfg +++ b/etc/conf.d/12.4_etc_passwd_ownership.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/12.5_etc_shadow_ownership.cfg b/etc/conf.d/12.5_etc_shadow_ownership.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/12.5_etc_shadow_ownership.cfg +++ b/etc/conf.d/12.5_etc_shadow_ownership.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/12.6_etc_group_ownership.cfg b/etc/conf.d/12.6_etc_group_ownership.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/12.6_etc_group_ownership.cfg +++ b/etc/conf.d/12.6_etc_group_ownership.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/12.7_find_world_writable_file.cfg b/etc/conf.d/12.7_find_world_writable_file.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/12.7_find_world_writable_file.cfg +++ b/etc/conf.d/12.7_find_world_writable_file.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/12.8_find_unowned_files.cfg b/etc/conf.d/12.8_find_unowned_files.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/12.8_find_unowned_files.cfg +++ b/etc/conf.d/12.8_find_unowned_files.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/12.9_find_ungrouped_files.cfg b/etc/conf.d/12.9_find_ungrouped_files.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/12.9_find_ungrouped_files.cfg +++ b/etc/conf.d/12.9_find_ungrouped_files.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/13.10_find_user_rhosts_files.cfg b/etc/conf.d/13.10_find_user_rhosts_files.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/13.10_find_user_rhosts_files.cfg +++ b/etc/conf.d/13.10_find_user_rhosts_files.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/13.11_find_passwd_group_inconsistencies.cfg b/etc/conf.d/13.11_find_passwd_group_inconsistencies.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/13.11_find_passwd_group_inconsistencies.cfg +++ b/etc/conf.d/13.11_find_passwd_group_inconsistencies.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/13.12_users_valid_homedir.cfg b/etc/conf.d/13.12_users_valid_homedir.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/13.12_users_valid_homedir.cfg +++ b/etc/conf.d/13.12_users_valid_homedir.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/13.13_check_user_homedir_ownership.cfg b/etc/conf.d/13.13_check_user_homedir_ownership.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/13.13_check_user_homedir_ownership.cfg +++ b/etc/conf.d/13.13_check_user_homedir_ownership.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/13.14_check_duplicate_uid.cfg b/etc/conf.d/13.14_check_duplicate_uid.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/13.14_check_duplicate_uid.cfg +++ b/etc/conf.d/13.14_check_duplicate_uid.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/13.15_check_duplicate_gid.cfg b/etc/conf.d/13.15_check_duplicate_gid.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/13.15_check_duplicate_gid.cfg +++ b/etc/conf.d/13.15_check_duplicate_gid.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/13.16_check_duplicate_username.cfg b/etc/conf.d/13.16_check_duplicate_username.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/13.16_check_duplicate_username.cfg +++ b/etc/conf.d/13.16_check_duplicate_username.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/13.17_check_duplicate_groupname.cfg b/etc/conf.d/13.17_check_duplicate_groupname.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/13.17_check_duplicate_groupname.cfg +++ b/etc/conf.d/13.17_check_duplicate_groupname.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/13.18_find_user_netrc_files.cfg b/etc/conf.d/13.18_find_user_netrc_files.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/13.18_find_user_netrc_files.cfg +++ b/etc/conf.d/13.18_find_user_netrc_files.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/13.19_find_user_forward_files.cfg b/etc/conf.d/13.19_find_user_forward_files.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/13.19_find_user_forward_files.cfg +++ b/etc/conf.d/13.19_find_user_forward_files.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/13.1_remove_empty_password_field.cfg b/etc/conf.d/13.1_remove_empty_password_field.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/13.1_remove_empty_password_field.cfg +++ b/etc/conf.d/13.1_remove_empty_password_field.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/13.20_shadow_group_empty.cfg b/etc/conf.d/13.20_shadow_group_empty.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/13.20_shadow_group_empty.cfg +++ b/etc/conf.d/13.20_shadow_group_empty.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/13.2_remove_legacy_passwd_entries.cfg b/etc/conf.d/13.2_remove_legacy_passwd_entries.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/13.2_remove_legacy_passwd_entries.cfg +++ b/etc/conf.d/13.2_remove_legacy_passwd_entries.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/13.3_remove_legacy_shadow_entries.cfg b/etc/conf.d/13.3_remove_legacy_shadow_entries.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/13.3_remove_legacy_shadow_entries.cfg +++ b/etc/conf.d/13.3_remove_legacy_shadow_entries.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/13.4_remove_legacy_group_entries.cfg b/etc/conf.d/13.4_remove_legacy_group_entries.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/13.4_remove_legacy_group_entries.cfg +++ b/etc/conf.d/13.4_remove_legacy_group_entries.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/13.5_find_0_uid_non_root_account.cfg b/etc/conf.d/13.5_find_0_uid_non_root_account.cfg index 9b61b4a..9575e88 100644 --- a/etc/conf.d/13.5_find_0_uid_non_root_account.cfg +++ b/etc/conf.d/13.5_find_0_uid_non_root_account.cfg @@ -1,4 +1,4 @@ # Configuration for script of same name -status=enabled +status=disabled # Put here valid accounts with uid 0 separated by spaces EXCEPTIONS="" diff --git a/etc/conf.d/13.6_sanitize_root_path.cfg b/etc/conf.d/13.6_sanitize_root_path.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/13.6_sanitize_root_path.cfg +++ b/etc/conf.d/13.6_sanitize_root_path.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/13.7_check_user_dir_perm.cfg b/etc/conf.d/13.7_check_user_dir_perm.cfg index cfad1b4..16b509e 100644 --- a/etc/conf.d/13.7_check_user_dir_perm.cfg +++ b/etc/conf.d/13.7_check_user_dir_perm.cfg @@ -1,4 +1,4 @@ # Configuration for script of same name -status=enabled +status=disabled # Put here user home directories exceptions, separated by spaces EXCEPTIONS="" diff --git a/etc/conf.d/13.8_check_user_dot_file_perm.cfg b/etc/conf.d/13.8_check_user_dot_file_perm.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/13.8_check_user_dot_file_perm.cfg +++ b/etc/conf.d/13.8_check_user_dot_file_perm.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/13.9_set_perm_on_user_netrc.cfg b/etc/conf.d/13.9_set_perm_on_user_netrc.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/13.9_set_perm_on_user_netrc.cfg +++ b/etc/conf.d/13.9_set_perm_on_user_netrc.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/5.1.2_disable_rsh.cfg b/etc/conf.d/5.1.2_disable_rsh.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/5.1.2_disable_rsh.cfg +++ b/etc/conf.d/5.1.2_disable_rsh.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/5.1.4_disable_talk.cfg b/etc/conf.d/5.1.4_disable_talk.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/5.1.4_disable_talk.cfg +++ b/etc/conf.d/5.1.4_disable_talk.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/5.1.5_disable_talk_client.cfg b/etc/conf.d/5.1.5_disable_talk_client.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/5.1.5_disable_talk_client.cfg +++ b/etc/conf.d/5.1.5_disable_talk_client.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/5.1.6_disable_telnet_server.cfg b/etc/conf.d/5.1.6_disable_telnet_server.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/5.1.6_disable_telnet_server.cfg +++ b/etc/conf.d/5.1.6_disable_telnet_server.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/5.1.7_disable_tftp_server.cfg b/etc/conf.d/5.1.7_disable_tftp_server.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/5.1.7_disable_tftp_server.cfg +++ b/etc/conf.d/5.1.7_disable_tftp_server.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/5.1.8_disable_inetd.cfg b/etc/conf.d/5.1.8_disable_inetd.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/5.1.8_disable_inetd.cfg +++ b/etc/conf.d/5.1.8_disable_inetd.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/5.2_disable_chargen.cfg b/etc/conf.d/5.2_disable_chargen.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/5.2_disable_chargen.cfg +++ b/etc/conf.d/5.2_disable_chargen.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/5.3_disable_daytime.cfg b/etc/conf.d/5.3_disable_daytime.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/5.3_disable_daytime.cfg +++ b/etc/conf.d/5.3_disable_daytime.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/5.4_disable_echo.cfg b/etc/conf.d/5.4_disable_echo.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/5.4_disable_echo.cfg +++ b/etc/conf.d/5.4_disable_echo.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/5.5_disable_discard.cfg b/etc/conf.d/5.5_disable_discard.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/5.5_disable_discard.cfg +++ b/etc/conf.d/5.5_disable_discard.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/5.6_disable_time.cfg b/etc/conf.d/5.6_disable_time.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/5.6_disable_time.cfg +++ b/etc/conf.d/5.6_disable_time.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/6.10_disable_http_server.cfg b/etc/conf.d/6.10_disable_http_server.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/6.10_disable_http_server.cfg +++ b/etc/conf.d/6.10_disable_http_server.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/6.11_disable_imap_pop.cfg b/etc/conf.d/6.11_disable_imap_pop.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/6.11_disable_imap_pop.cfg +++ b/etc/conf.d/6.11_disable_imap_pop.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/6.12_disable_samba.cfg b/etc/conf.d/6.12_disable_samba.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/6.12_disable_samba.cfg +++ b/etc/conf.d/6.12_disable_samba.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/6.13_diable_http_proxy.cfg b/etc/conf.d/6.13_diable_http_proxy.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/6.13_diable_http_proxy.cfg +++ b/etc/conf.d/6.13_diable_http_proxy.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/6.14_disable_snmp_server.cfg b/etc/conf.d/6.14_disable_snmp_server.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/6.14_disable_snmp_server.cfg +++ b/etc/conf.d/6.14_disable_snmp_server.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/6.15_mta_localhost.cfg b/etc/conf.d/6.15_mta_localhost.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/6.15_mta_localhost.cfg +++ b/etc/conf.d/6.15_mta_localhost.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/6.16_disable_rsync.cfg b/etc/conf.d/6.16_disable_rsync.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/6.16_disable_rsync.cfg +++ b/etc/conf.d/6.16_disable_rsync.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/6.1_disable_xwindow_system.cfg b/etc/conf.d/6.1_disable_xwindow_system.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/6.1_disable_xwindow_system.cfg +++ b/etc/conf.d/6.1_disable_xwindow_system.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/6.2_disable_avahi_server.cfg b/etc/conf.d/6.2_disable_avahi_server.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/6.2_disable_avahi_server.cfg +++ b/etc/conf.d/6.2_disable_avahi_server.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/6.3_disable_print_server.cfg b/etc/conf.d/6.3_disable_print_server.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/6.3_disable_print_server.cfg +++ b/etc/conf.d/6.3_disable_print_server.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/6.4_disable_dhcp.cfg b/etc/conf.d/6.4_disable_dhcp.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/6.4_disable_dhcp.cfg +++ b/etc/conf.d/6.4_disable_dhcp.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/6.5_configure_ntp.cfg b/etc/conf.d/6.5_configure_ntp.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/6.5_configure_ntp.cfg +++ b/etc/conf.d/6.5_configure_ntp.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/6.6_diable_ldap.cfg b/etc/conf.d/6.6_diable_ldap.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/6.6_diable_ldap.cfg +++ b/etc/conf.d/6.6_diable_ldap.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/6.7_disable_nfs_rpc.cfg b/etc/conf.d/6.7_disable_nfs_rpc.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/6.7_disable_nfs_rpc.cfg +++ b/etc/conf.d/6.7_disable_nfs_rpc.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/6.8_disable_dns_server.cfg b/etc/conf.d/6.8_disable_dns_server.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/6.8_disable_dns_server.cfg +++ b/etc/conf.d/6.8_disable_dns_server.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/6.9_disable_ftp.cfg b/etc/conf.d/6.9_disable_ftp.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/6.9_disable_ftp.cfg +++ b/etc/conf.d/6.9_disable_ftp.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.1.1_disable_ip_forwarding.cfg b/etc/conf.d/7.1.1_disable_ip_forwarding.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.1.1_disable_ip_forwarding.cfg +++ b/etc/conf.d/7.1.1_disable_ip_forwarding.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.1.2_disable_send_packet_redirects.cfg b/etc/conf.d/7.1.2_disable_send_packet_redirects.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.1.2_disable_send_packet_redirects.cfg +++ b/etc/conf.d/7.1.2_disable_send_packet_redirects.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.2.1_disable_source_routed_packets.cfg b/etc/conf.d/7.2.1_disable_source_routed_packets.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.2.1_disable_source_routed_packets.cfg +++ b/etc/conf.d/7.2.1_disable_source_routed_packets.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.2.2_disable_icmp_redirect.cfg b/etc/conf.d/7.2.2_disable_icmp_redirect.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.2.2_disable_icmp_redirect.cfg +++ b/etc/conf.d/7.2.2_disable_icmp_redirect.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.2.3_disable_secure_icmp_redirect.cfg b/etc/conf.d/7.2.3_disable_secure_icmp_redirect.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.2.3_disable_secure_icmp_redirect.cfg +++ b/etc/conf.d/7.2.3_disable_secure_icmp_redirect.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.2.4_log_martian_packets.cfg b/etc/conf.d/7.2.4_log_martian_packets.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.2.4_log_martian_packets.cfg +++ b/etc/conf.d/7.2.4_log_martian_packets.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.2.5_ignore_broadcast_requests.cfg b/etc/conf.d/7.2.5_ignore_broadcast_requests.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.2.5_ignore_broadcast_requests.cfg +++ b/etc/conf.d/7.2.5_ignore_broadcast_requests.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.2.6_enable_bad_error_message_protection.cfg b/etc/conf.d/7.2.6_enable_bad_error_message_protection.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.2.6_enable_bad_error_message_protection.cfg +++ b/etc/conf.d/7.2.6_enable_bad_error_message_protection.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.2.7_enable_source_route_validation.cfg b/etc/conf.d/7.2.7_enable_source_route_validation.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.2.7_enable_source_route_validation.cfg +++ b/etc/conf.d/7.2.7_enable_source_route_validation.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.2.8_enable_tcp_syn_cookies.cfg b/etc/conf.d/7.2.8_enable_tcp_syn_cookies.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.2.8_enable_tcp_syn_cookies.cfg +++ b/etc/conf.d/7.2.8_enable_tcp_syn_cookies.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.3.1_disable_ipv6_router_advertisement.cfg b/etc/conf.d/7.3.1_disable_ipv6_router_advertisement.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.3.1_disable_ipv6_router_advertisement.cfg +++ b/etc/conf.d/7.3.1_disable_ipv6_router_advertisement.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.3.2_disable_ipv6_redirect.cfg b/etc/conf.d/7.3.2_disable_ipv6_redirect.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.3.2_disable_ipv6_redirect.cfg +++ b/etc/conf.d/7.3.2_disable_ipv6_redirect.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.3.3_disable_ipv6.cfg b/etc/conf.d/7.3.3_disable_ipv6.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.3.3_disable_ipv6.cfg +++ b/etc/conf.d/7.3.3_disable_ipv6.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.4.1_install_tcp_wrapper.cfg b/etc/conf.d/7.4.1_install_tcp_wrapper.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.4.1_install_tcp_wrapper.cfg +++ b/etc/conf.d/7.4.1_install_tcp_wrapper.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.4.2_hosts_allow.cfg b/etc/conf.d/7.4.2_hosts_allow.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.4.2_hosts_allow.cfg +++ b/etc/conf.d/7.4.2_hosts_allow.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.4.3_hosts_allow_permissions.cfg b/etc/conf.d/7.4.3_hosts_allow_permissions.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.4.3_hosts_allow_permissions.cfg +++ b/etc/conf.d/7.4.3_hosts_allow_permissions.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.4.4_hosts_deny.cfg b/etc/conf.d/7.4.4_hosts_deny.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.4.4_hosts_deny.cfg +++ b/etc/conf.d/7.4.4_hosts_deny.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.4.5_hosts_deny_permissions.cfg b/etc/conf.d/7.4.5_hosts_deny_permissions.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.4.5_hosts_deny_permissions.cfg +++ b/etc/conf.d/7.4.5_hosts_deny_permissions.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.5.1_disable_dccp.cfg b/etc/conf.d/7.5.1_disable_dccp.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.5.1_disable_dccp.cfg +++ b/etc/conf.d/7.5.1_disable_dccp.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.5.2_disable_sctp.cfg b/etc/conf.d/7.5.2_disable_sctp.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.5.2_disable_sctp.cfg +++ b/etc/conf.d/7.5.2_disable_sctp.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.5.3_disable_rds.cfg b/etc/conf.d/7.5.3_disable_rds.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.5.3_disable_rds.cfg +++ b/etc/conf.d/7.5.3_disable_rds.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.6_disable_wireless.cfg b/etc/conf.d/7.6_disable_wireless.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.6_disable_wireless.cfg +++ b/etc/conf.d/7.6_disable_wireless.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/7.7_enable_firewall.cfg b/etc/conf.d/7.7_enable_firewall.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/7.7_enable_firewall.cfg +++ b/etc/conf.d/7.7_enable_firewall.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.0_enable_auditd_kernel.cfg b/etc/conf.d/8.0_enable_auditd_kernel.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.0_enable_auditd_kernel.cfg +++ b/etc/conf.d/8.0_enable_auditd_kernel.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.1.1.1_audit_log_storage.cfg b/etc/conf.d/8.1.1.1_audit_log_storage.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.1.1.1_audit_log_storage.cfg +++ b/etc/conf.d/8.1.1.1_audit_log_storage.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.1.1.2_halt_when_audit_log_full.cfg b/etc/conf.d/8.1.1.2_halt_when_audit_log_full.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.1.1.2_halt_when_audit_log_full.cfg +++ b/etc/conf.d/8.1.1.2_halt_when_audit_log_full.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.1.1.3_keep_all_audit_logs.cfg b/etc/conf.d/8.1.1.3_keep_all_audit_logs.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.1.1.3_keep_all_audit_logs.cfg +++ b/etc/conf.d/8.1.1.3_keep_all_audit_logs.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.1.10_record_dac_edit.cfg b/etc/conf.d/8.1.10_record_dac_edit.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.1.10_record_dac_edit.cfg +++ b/etc/conf.d/8.1.10_record_dac_edit.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.1.11_record_failed_access_file.cfg b/etc/conf.d/8.1.11_record_failed_access_file.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.1.11_record_failed_access_file.cfg +++ b/etc/conf.d/8.1.11_record_failed_access_file.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.1.12_record_privileged_commands.cfg b/etc/conf.d/8.1.12_record_privileged_commands.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.1.12_record_privileged_commands.cfg +++ b/etc/conf.d/8.1.12_record_privileged_commands.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.1.13_record_successful_mount.cfg b/etc/conf.d/8.1.13_record_successful_mount.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.1.13_record_successful_mount.cfg +++ b/etc/conf.d/8.1.13_record_successful_mount.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.1.14_record_file_deletions.cfg b/etc/conf.d/8.1.14_record_file_deletions.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.1.14_record_file_deletions.cfg +++ b/etc/conf.d/8.1.14_record_file_deletions.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.1.15_record_sudoers_edit.cfg b/etc/conf.d/8.1.15_record_sudoers_edit.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.1.15_record_sudoers_edit.cfg +++ b/etc/conf.d/8.1.15_record_sudoers_edit.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.1.16_record_sudo_usage.cfg b/etc/conf.d/8.1.16_record_sudo_usage.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.1.16_record_sudo_usage.cfg +++ b/etc/conf.d/8.1.16_record_sudo_usage.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.1.17_record_kernel_modules.cfg b/etc/conf.d/8.1.17_record_kernel_modules.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.1.17_record_kernel_modules.cfg +++ b/etc/conf.d/8.1.17_record_kernel_modules.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.1.18_freeze_auditd_conf.cfg b/etc/conf.d/8.1.18_freeze_auditd_conf.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.1.18_freeze_auditd_conf.cfg +++ b/etc/conf.d/8.1.18_freeze_auditd_conf.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.1.2_enable_auditd.cfg b/etc/conf.d/8.1.2_enable_auditd.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.1.2_enable_auditd.cfg +++ b/etc/conf.d/8.1.2_enable_auditd.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.1.3_audit_bootloader.cfg b/etc/conf.d/8.1.3_audit_bootloader.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.1.3_audit_bootloader.cfg +++ b/etc/conf.d/8.1.3_audit_bootloader.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.1.4_record_date_time_edit.cfg b/etc/conf.d/8.1.4_record_date_time_edit.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.1.4_record_date_time_edit.cfg +++ b/etc/conf.d/8.1.4_record_date_time_edit.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.1.5_record_user_group_edit.cfg b/etc/conf.d/8.1.5_record_user_group_edit.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.1.5_record_user_group_edit.cfg +++ b/etc/conf.d/8.1.5_record_user_group_edit.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.1.6_record_network_edit.cfg b/etc/conf.d/8.1.6_record_network_edit.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.1.6_record_network_edit.cfg +++ b/etc/conf.d/8.1.6_record_network_edit.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.1.7_record_mac_edit.cfg b/etc/conf.d/8.1.7_record_mac_edit.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.1.7_record_mac_edit.cfg +++ b/etc/conf.d/8.1.7_record_mac_edit.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.1.8_record_login_logout.cfg b/etc/conf.d/8.1.8_record_login_logout.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.1.8_record_login_logout.cfg +++ b/etc/conf.d/8.1.8_record_login_logout.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.1.9_record_session_init.cfg b/etc/conf.d/8.1.9_record_session_init.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.1.9_record_session_init.cfg +++ b/etc/conf.d/8.1.9_record_session_init.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.2.1_install_syslog-ng.cfg b/etc/conf.d/8.2.1_install_syslog-ng.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.2.1_install_syslog-ng.cfg +++ b/etc/conf.d/8.2.1_install_syslog-ng.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.2.2_enable_syslog-ng.cfg b/etc/conf.d/8.2.2_enable_syslog-ng.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.2.2_enable_syslog-ng.cfg +++ b/etc/conf.d/8.2.2_enable_syslog-ng.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.2.3_configure_syslog-ng.cfg b/etc/conf.d/8.2.3_configure_syslog-ng.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.2.3_configure_syslog-ng.cfg +++ b/etc/conf.d/8.2.3_configure_syslog-ng.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.2.4_set_logfile_perm.cfg b/etc/conf.d/8.2.4_set_logfile_perm.cfg index 83a0977..2b93105 100644 --- a/etc/conf.d/8.2.4_set_logfile_perm.cfg +++ b/etc/conf.d/8.2.4_set_logfile_perm.cfg @@ -1,3 +1,3 @@ # Configuration for script of same name -status=enabled +status=disabled SYSLOG_BASEDIR='/etc/syslog-ng' diff --git a/etc/conf.d/8.2.5_syslog-ng_remote_host.cfg b/etc/conf.d/8.2.5_syslog-ng_remote_host.cfg index 83a0977..2b93105 100644 --- a/etc/conf.d/8.2.5_syslog-ng_remote_host.cfg +++ b/etc/conf.d/8.2.5_syslog-ng_remote_host.cfg @@ -1,3 +1,3 @@ # Configuration for script of same name -status=enabled +status=disabled SYSLOG_BASEDIR='/etc/syslog-ng' diff --git a/etc/conf.d/8.2.6_remote_syslog-ng_acl.cfg b/etc/conf.d/8.2.6_remote_syslog-ng_acl.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.2.6_remote_syslog-ng_acl.cfg +++ b/etc/conf.d/8.2.6_remote_syslog-ng_acl.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.3.1_install_tripwire.cfg b/etc/conf.d/8.3.1_install_tripwire.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.3.1_install_tripwire.cfg +++ b/etc/conf.d/8.3.1_install_tripwire.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.3.2_tripwire_cron.cfg b/etc/conf.d/8.3.2_tripwire_cron.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.3.2_tripwire_cron.cfg +++ b/etc/conf.d/8.3.2_tripwire_cron.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/8.4_configure_logrotate.cfg b/etc/conf.d/8.4_configure_logrotate.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/8.4_configure_logrotate.cfg +++ b/etc/conf.d/8.4_configure_logrotate.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.1.1_enable_cron.cfg b/etc/conf.d/9.1.1_enable_cron.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.1.1_enable_cron.cfg +++ b/etc/conf.d/9.1.1_enable_cron.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.1.2_crontab_perm_ownership.cfg b/etc/conf.d/9.1.2_crontab_perm_ownership.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.1.2_crontab_perm_ownership.cfg +++ b/etc/conf.d/9.1.2_crontab_perm_ownership.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.1.3_cron_hourly_perm_ownership.cfg b/etc/conf.d/9.1.3_cron_hourly_perm_ownership.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.1.3_cron_hourly_perm_ownership.cfg +++ b/etc/conf.d/9.1.3_cron_hourly_perm_ownership.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.1.4_cron_daily_perm_ownership.cfg b/etc/conf.d/9.1.4_cron_daily_perm_ownership.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.1.4_cron_daily_perm_ownership.cfg +++ b/etc/conf.d/9.1.4_cron_daily_perm_ownership.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.1.5_cron_weekly_perm_ownership.cfg b/etc/conf.d/9.1.5_cron_weekly_perm_ownership.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.1.5_cron_weekly_perm_ownership.cfg +++ b/etc/conf.d/9.1.5_cron_weekly_perm_ownership.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.1.6_cron_monthly_perm_ownership.cfg b/etc/conf.d/9.1.6_cron_monthly_perm_ownership.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.1.6_cron_monthly_perm_ownership.cfg +++ b/etc/conf.d/9.1.6_cron_monthly_perm_ownership.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.1.7_cron_d_perm_ownership.cfg b/etc/conf.d/9.1.7_cron_d_perm_ownership.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.1.7_cron_d_perm_ownership.cfg +++ b/etc/conf.d/9.1.7_cron_d_perm_ownership.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.1.8_cron_users.cfg b/etc/conf.d/9.1.8_cron_users.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.1.8_cron_users.cfg +++ b/etc/conf.d/9.1.8_cron_users.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.2.1_enable_cracklib.cfg b/etc/conf.d/9.2.1_enable_cracklib.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.2.1_enable_cracklib.cfg +++ b/etc/conf.d/9.2.1_enable_cracklib.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.2.2_enable_lockout_failed_password.cfg b/etc/conf.d/9.2.2_enable_lockout_failed_password.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.2.2_enable_lockout_failed_password.cfg +++ b/etc/conf.d/9.2.2_enable_lockout_failed_password.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.2.3_limit_password_reuse.cfg b/etc/conf.d/9.2.3_limit_password_reuse.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.2.3_limit_password_reuse.cfg +++ b/etc/conf.d/9.2.3_limit_password_reuse.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.3.10_disable_sshd_setenv.cfg b/etc/conf.d/9.3.10_disable_sshd_setenv.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.3.10_disable_sshd_setenv.cfg +++ b/etc/conf.d/9.3.10_disable_sshd_setenv.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.3.11_sshd_ciphers.cfg b/etc/conf.d/9.3.11_sshd_ciphers.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.3.11_sshd_ciphers.cfg +++ b/etc/conf.d/9.3.11_sshd_ciphers.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.3.12_sshd_idle_timeout.cfg b/etc/conf.d/9.3.12_sshd_idle_timeout.cfg index c17c30f..34efc50 100644 --- a/etc/conf.d/9.3.12_sshd_idle_timeout.cfg +++ b/etc/conf.d/9.3.12_sshd_idle_timeout.cfg @@ -1,5 +1,5 @@ # Configuration for script of same name -status=enabled +status=disabled # In seconds, value of ClientAliveInterval, ClientAliveCountMax bedoing set to 0 # Settles sshd idle timeout SSHD_TIMEOUT=900 diff --git a/etc/conf.d/9.3.13_sshd_limit_access.cfg b/etc/conf.d/9.3.13_sshd_limit_access.cfg index 3373d5c..1fd153a 100644 --- a/etc/conf.d/9.3.13_sshd_limit_access.cfg +++ b/etc/conf.d/9.3.13_sshd_limit_access.cfg @@ -1,5 +1,5 @@ # Configuration for script of same name -status=enabled +status=disabled # Put here ssh user hardening list, there is a default in script to not break your configuration # However, it can erase current configuration diff --git a/etc/conf.d/9.3.14_ssh_banner.cfg b/etc/conf.d/9.3.14_ssh_banner.cfg index 500c8d6..91ec8ae 100644 --- a/etc/conf.d/9.3.14_ssh_banner.cfg +++ b/etc/conf.d/9.3.14_ssh_banner.cfg @@ -1,4 +1,4 @@ # Configuration for script of same name -status=enabled +status=disabled # Put here banner file, default to /etc/issue.net BANNER_FILE="" diff --git a/etc/conf.d/9.3.1_sshd_protocol.cfg b/etc/conf.d/9.3.1_sshd_protocol.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.3.1_sshd_protocol.cfg +++ b/etc/conf.d/9.3.1_sshd_protocol.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.3.2_sshd_loglevel.cfg b/etc/conf.d/9.3.2_sshd_loglevel.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.3.2_sshd_loglevel.cfg +++ b/etc/conf.d/9.3.2_sshd_loglevel.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg b/etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg +++ b/etc/conf.d/9.3.3_sshd_conf_perm_ownership.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.3.4_disable_x11_forwarding.cfg b/etc/conf.d/9.3.4_disable_x11_forwarding.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.3.4_disable_x11_forwarding.cfg +++ b/etc/conf.d/9.3.4_disable_x11_forwarding.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.3.5_sshd_maxauthtries.cfg b/etc/conf.d/9.3.5_sshd_maxauthtries.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.3.5_sshd_maxauthtries.cfg +++ b/etc/conf.d/9.3.5_sshd_maxauthtries.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg b/etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg +++ b/etc/conf.d/9.3.6_enable_sshd_ignorerhosts.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.3.7_disable_sshd_hostbasedauthentication.cfg b/etc/conf.d/9.3.7_disable_sshd_hostbasedauthentication.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.3.7_disable_sshd_hostbasedauthentication.cfg +++ b/etc/conf.d/9.3.7_disable_sshd_hostbasedauthentication.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.3.8_disable_root_login.cfg b/etc/conf.d/9.3.8_disable_root_login.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.3.8_disable_root_login.cfg +++ b/etc/conf.d/9.3.8_disable_root_login.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.3.9_disable_sshd_permitemptypasswords.cfg b/etc/conf.d/9.3.9_disable_sshd_permitemptypasswords.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.3.9_disable_sshd_permitemptypasswords.cfg +++ b/etc/conf.d/9.3.9_disable_sshd_permitemptypasswords.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.4_secure_tty.cfg b/etc/conf.d/9.4_secure_tty.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.4_secure_tty.cfg +++ b/etc/conf.d/9.4_secure_tty.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/9.5_restrict_su.cfg b/etc/conf.d/9.5_restrict_su.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/9.5_restrict_su.cfg +++ b/etc/conf.d/9.5_restrict_su.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/99.1_timeout_tty.cfg b/etc/conf.d/99.1_timeout_tty.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/99.1_timeout_tty.cfg +++ b/etc/conf.d/99.1_timeout_tty.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/etc/conf.d/99.2_disable_usb_devices.cfg b/etc/conf.d/99.2_disable_usb_devices.cfg index e1e4502..acee522 100644 --- a/etc/conf.d/99.2_disable_usb_devices.cfg +++ b/etc/conf.d/99.2_disable_usb_devices.cfg @@ -1,2 +1,2 @@ # Configuration for script of same name -status=enabled +status=disabled diff --git a/lib/main.sh b/lib/main.sh index fd73202..5c1497c 100644 --- a/lib/main.sh +++ b/lib/main.sh @@ -19,7 +19,7 @@ info "Working on $SCRIPT_NAME" if [ -z $status ]; then crit "Could not find status variable for $SCRIPT_NAME, considered as disabled" - exit 0 + exit 2 fi # Arguments parsing